SSRF in Pyload

CVE-2026-35459

pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, pyLoad has a server-side request forgery (SSRF) vulnerability. The fix for CVE-2026-33992 added IP validation to BaseDownloader.download() t…

Vulnerability class: SSRF (Server-Side Request Forgery)

EPSS: 0.000 (13.3th percentile) — read the EPSS interpretation.

Affected products

Pyload — versions <= 0.5.0b3.dev96

Weakness classification (CWE)

CWE-918 — Server-Side Request Forgery (SSRF)

References

https://github.com/pyload/pyload/security/advisories/GHSA-7gvf-3w72-p2pg (x_refsource_CONFIRM)
https://github.com/pyload/pyload/commit/33c55da084320430edfd941b60e3da0eb1be9443 (x_refsource_MISC)