CRITICAL🇵🇱 Wersja polska

CVE-2026-33992

CVSS 9.3v4.0pub. 2026-03-27upd. 2026-03-31

pyLoad is a free and open-source download manager written in Python. Prior to version 0.5.0b3.dev97, PyLoad's download engine accepts arbitrary URLs without validation, enabling Server-Side Request Forgery (SSRF) attacks. An authenticated attacker can exploit this to access internal network services and exfiltrate cloud provider metadata. On DigitalOcean droplets, this exposes sensitive infrastructure data including droplet ID, network configuration, region, authentication keys, and SSH keys configured in user-data/cloud-init. Version 0.5.0b3.dev97 contains a patch.

CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Pyload

    APP
    Pyload
    0.5.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
SSRF
CWE
References

Related vulnerabilities

CVE-2024-47821CRITICAL9.1PL ✓ten sam produkt

RCE w pyLoad przez zapis pliku wykonywalnego do folderu /scripts

CVE-2024-32880CRITICAL9.1PL ✓ten sam produkt

pyload: RCE przez upload złośliwego szablonu przez uwierzytelnionego użytkownika

CVE-2023-0435CRITICAL9.8ten sam produkt

Excessive Attack Surface in GitHub repository pyload/pyload prior to 0.5.0b3.dev41.

CVE-2023-0297CRITICAL9.8ten sam produkt

Code Injection in GitHub repository pyload/pyload prior to 0.5.0b3.dev31.

CVE-2026-41133HIGH8.8ten sam produkt

pyLoad is a free and open-source download manager written in Python. Versions up to and including 0.5.0b3.dev9...