CVE-2026-35187: SSRF in pyload-ng ≤0.5.0b3.dev96
Platform
python
Component
pyload
Fixed in
0.5.0b3.dev96
CVE-2026-35187 represents a Server-Side Request Forgery (SSRF) vulnerability discovered in pyload-ng, specifically within the `parse_urls` API function. This flaw allows authenticated users with ADD permission to initiate server-side requests to arbitrary URLs, potentially exposing internal resources, enabling file reading via the `file://` protocol, and facilitating interaction with internal services. The vulnerability affects versions of pyload-ng up to and including 0.5.0b3.dev96; a fix is currently pending.
How to fix
Actualice a la versión 0.5.0b3.dev96 o superior para mitigar la vulnerabilidad SSRF. Esta versión implementa validaciones de URL y restricciones de protocolo para prevenir el acceso no autorizado a recursos internos.
Frequently asked questions
What is CVE-2026-35187?
CVE-2026-35187 is a Server-Side Request Forgery (SSRF) vulnerability in pyload-ng. It allows an authenticated user to make requests to internal resources and potentially read local files.
Am I affected by CVE-2026-35187?
You are potentially affected if you are using pyload-ng version 0.5.0b3.dev96 or earlier. The vulnerability requires authentication and ADD permission within the application.
How can I fix or mitigate CVE-2026-35187?
Currently, no official patch is available. Mitigation strategies may include restricting network access for the pyload-ng application and carefully reviewing user permissions to prevent unauthorized ADD operations.
Monitor your dependencies automatically
Get notified when new vulnerabilities affect your projects. Free forever.
Start free