CVE-2026-35459: pyload-ng SSRF Vulnerability <=0.5.0b3.dev96
Platform
python
Component
pyload
CVE-2026-35459 is a Server-Side Request Forgery (SSRF) vulnerability discovered in pyload-ng. This flaw allows an authenticated user with ADD permission to bypass the existing SSRF protection by crafting a URL that redirects to an internal address, potentially exposing sensitive internal resources. The vulnerability affects versions of pyload-ng up to and including 0.5.0b3.dev96, and a fix is available.
How to fix
Actualice pyLoad a una versión corregida que valide las URLs de redirección HTTP para prevenir ataques de Server-Side Request Forgery (SSRF). La vulnerabilidad se produce porque las redirecciones HTTP no se validan después de la corrección inicial de CVE-2026-33992. Consulte el repositorio de GitHub para obtener más detalles y la versión corregida.
Frequently asked questions
What is CVE-2026-35459?
CVE-2026-35459 is a CRITICAL SSRF vulnerability in pyload-ng. It allows attackers to bypass IP validation by exploiting HTTP redirects, potentially accessing internal resources. The initial fix for a previous SSRF vulnerability was incomplete.
Am I affected by CVE-2026-35459?
You are affected if you are using pyload-ng version 0.5.0b3.dev96 or earlier. This vulnerability requires an authenticated user with ADD permission to exploit.
How do I fix CVE-2026-35459?
Update pyload-ng to a patched version that addresses this SSRF bypass. Refer to the project's release notes or official channels for the latest version with the fix.
Monitor your dependencies automatically
Get notified when new vulnerabilities affect your projects. Free forever.
Start free