What is a host header spoofing vulnerability?

A host header spoofing vulnerability occurs when an application trusts the HTTP Host header, which can be easily manipulated by an attacker. By sending a crafted Host header, an attacker can bypass security checks and gain unauthorized access to restricted resources or functionalities.

What is Server-Side Request Forgery (SSRF)?

Server-Side Request Forgery (SSRF) is a vulnerability that allows an attacker to make requests to internal or external resources on behalf of the server. This can be exploited to access sensitive data, perform unauthorized actions, or launch attacks against other systems.

What is Remote Code Execution (RCE)?

Remote Code Execution (RCE) is a vulnerability that allows an attacker to execute arbitrary code on a remote server. This is a critical vulnerability that can lead to complete system compromise, data theft, and other malicious activities.

How do I update pyload-ng to the latest version?

You can update pyload-ng to the latest version using the pip package manager. Run the command `pip install --upgrade pyload-ng` in your terminal to download and install the latest version of the package. This will overwrite the existing installation with the updated version, including the security patches.

Multiple Vulnerabilities in pyload-ng Expose Systems to RCE and SSRF

Multiple critical vulnerabilities have been discovered in pyload-ng, potentially leading to Remote Code Execution (RCE), Server-Side Request Forgery (SSRF), and sensitive data exposure. These vulnerabilities affect versions up to 0.5.0b3.dev96, and users are urged to update to version 0.5.0b3.dev97 immediately to mitigate these risks.

These vulnerabilities range from high to critical, potentially allowing attackers to compromise systems.

What is Pyload Ng?

Pyload Ng is a free and open-source download manager written in Python. It's designed to automate the process of downloading files from various sources, including file hosting websites and streaming services. To learn more, search all pyload-ng CVEs.

CVE-2026-33314: pyload-ng Host Header Spoofing Vulnerability

CVSS6.5

Affected versionsThis vulnerability affects pyload-ng versions up to and including 0.5.0b3.dev96.

Medium severity, potentially exploitable with low effort.

EPSS score suggests a low probability of exploitation.

A host header spoofing vulnerability exists in pyload-ng's `@local_check` decorator, allowing unauthenticated attackers to bypass local-only restrictions. By spoofing the `Host` header, attackers can access Click'N'Load API endpoints and queue arbitrary downloads.

How to fix CVE-2026-33314 in pyload-ng

Patch within 24h

1.Upgrade pyload-ng to version 0.5.0b3.dev97 or later.

Upgrade pyload-ng

pip install --upgrade pyload-ng

Workaround: Disable the Click'N'Load plugin if possible.

NextGuard automatically flags CVE-2026-33314 if pyload-ng appears in any of your monitored projects — no manual lookup required.

CVE-2026-33509: pyload-ng Remote Code Execution via Reconnect Script Configuration

CVSS7.5

Affected versionsThis vulnerability affects pyload-ng versions up to and including 0.5.0b3.dev96. Users with the SETTINGS permission are particularly at risk.

High severity, potentially leading to system compromise.

EPSS score suggests a low probability of exploitation.

The `set_config_value()` API endpoint in pyload-ng allows users with `SETTINGS` permission to modify the `reconnect.script` configuration option without restriction. This enables them to set an arbitrary executable file path, leading to Remote Code Execution (RCE).

How to fix CVE-2026-33509 in pyload-ng

Patch within 24h

1.Upgrade pyload-ng to version 0.5.0b3.dev97 or later.

Upgrade pyload-ng

pip install --upgrade pyload-ng

Workaround: Restrict SETTINGS permissions to trusted users only. Avoid enabling the reconnect feature.

NextGuard automatically flags CVE-2026-33509 if pyload-ng appears in any of your monitored projects — no manual lookup required.

CVE-2026-33992: pyload-ng Server-Side Request Forgery (SSRF) Vulnerability

CVSS9.5

Affected versionsThis vulnerability affects pyload-ng versions up to and including 0.5.0b3.dev96. Cloud deployments are particularly vulnerable.

Critical severity, potentially leading to complete system compromise.

EPSS score suggests a low probability of exploitation.

PyLoad's download engine accepts arbitrary URLs without validation, enabling Server-Side Request Forgery (SSRF) attacks. An authenticated attacker can exploit this to access internal network services and exfiltrate cloud provider metadata.

How to fix CVE-2026-33992 in pyload-ng

Patch immediately

1.Upgrade pyload-ng to version 0.5.0b3.dev97 or later.

Upgrade pyload-ng

pip install --upgrade pyload-ng

Workaround: Monitor network traffic for unusual outbound requests. Restrict network access from the pyload-ng instance.

NextGuard automatically flags CVE-2026-33992 if pyload-ng appears in any of your monitored projects — no manual lookup required.

Stay ahead of Python vulnerabilities

Proactively detect and remediate vulnerabilities in your Python dependencies. Monitor your python dependencies with real-time alerts and comprehensive reporting.

Compare Plans

Frequently asked questions

These vulnerabilities highlight the importance of keeping your dependencies up to date. Regularly see all python vulnerabilities and apply security patches promptly to protect your systems from potential attacks.