SSRF in Pyload

CVE-2026-33992

pyLoad is a free and open-source download manager written in Python. Prior to version 0.5.0b3.dev97, PyLoad's download engine accepts arbitrary URLs without validation, enabling Server-Side Request Forgery (SSRF) attacks. An authenticated…

Vulnerability class: SSRF (Server-Side Request Forgery)

EPSS: 0.000 (10.0th percentile) — read the EPSS interpretation.

Affected products

Pyload — versions < 0.5.0b3.dev97

Weakness classification (CWE)

CWE-918 — Server-Side Request Forgery (SSRF)

References

https://github.com/pyload/pyload/security/advisories/GHSA-m74m-f7cr-432x (x_refsource_CONFIRM)
https://github.com/pyload/pyload/commit/b76b6d4ee5e32d2118d26afdee1d0a9e57d4bfe8 (x_refsource_MISC)