pyLoad: SSRF in parse_urls API endpoint via unvalidated URL parameter

The SSRF vulnerability in pyLoad allows an attacker to initiate requests from the server as if they originated from the pyLoad application itself. This can be exploited to access internal network resources that are not directly accessible from the outside world. Specifically, an attacker could read local files via the file:// protocol, interact with internal services using gopher:// and dict:// protocols, and enumerate file existence. Furthermore, the attacker can access cloud metadata endpoints, potentially exposing sensitive cloud credentials. The ability to make arbitrary HTTP/HTTPS requests significantly expands the attack surface, enabling reconnaissance and potential exploitation of other internal systems.

Organizations using pyLoad for download management, particularly those with internal networks accessible from the internet, are at risk. Shared hosting environments where multiple users have access to the pyLoad API are especially vulnerable, as a compromised user account could be used to exploit the SSRF vulnerability and access resources belonging to other users.

• python / server:

import requests
import re

def check_pyload_ssrf(url):
    try:
        response = requests.get(url, timeout=5)
        if response.status_code == 200:
            if re.search(r'file://', url) or re.search(r'gopher://', url) or re.search(r'dict://', url):
                print(f"Potential SSRF vulnerability detected: {url}")
            else:
                print(f"URL accessed: {url}")
    except requests.exceptions.RequestException as e:
        print(f"Error accessing {url}: {e}")

# Example usage (replace with actual API endpoint)
api_endpoint = "http://your-pyload-server/api/add"

# Test with potentially malicious URLs
check_pyload_ssrf("file:///etc/passwd")
check_pyload_ssrf("gopher://127.0.0.1/some_internal_service")

1. 2026-04-06Disclosure

   disclosure

1. Reserviert2026-04-01
2. Veröffentlicht2026-04-06
3. Geändert2026-04-07
4. EPSS aktualisiert2026-04-14

The primary mitigation for CVE-2026-35187 is to upgrade pyLoad to version 0.5.0b3.dev96 or later, which includes the necessary URL validation and protocol restriction fixes. If upgrading immediately is not feasible, consider implementing temporary workarounds such as restricting network access for the pyLoad application using a firewall or proxy. Additionally, carefully review and restrict the permissions granted to authenticated users, ensuring they only have the necessary privileges. Monitor network traffic for unusual outbound requests originating from the pyLoad server. After upgrading, confirm the fix by attempting to access an internal resource via the parse_urls API and verifying that the request is blocked.