Platform
python
Component
pyload-ng
Fixed in
0.5.1
0.5.0b3.dev97
CVE-2026-33314 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in pyLoad-ng, a free and open-source download manager written in Python. This flaw allows unauthenticated attackers to bypass local-only restrictions, potentially leading to denial-of-service and unauthorized access. The vulnerability impacts versions of pyLoad-ng up to and including 0.5.0b3.dev96, and a patch is available in version 0.5.0b3.dev97.
The SSRF vulnerability in pyLoad-ng arises from a Host Header Spoofing issue within the @local_check decorator. An attacker can exploit this by crafting malicious requests that bypass the intended local-only restrictions. Successful exploitation grants access to the Click'N'Load API endpoints, effectively allowing the attacker to remotely queue arbitrary downloads. This can lead to a denial-of-service condition by overwhelming the server with requests or potentially enabling attackers to download sensitive files accessible to the server. The impact is amplified by the unauthenticated nature of the vulnerability, meaning no prior authentication is required to exploit it.
This vulnerability was publicly disclosed on 2026-03-19. No public proof-of-concept (PoC) code has been released at the time of writing, but the SSRF nature of the vulnerability makes it likely that a PoC will emerge. The vulnerability is not currently listed on the CISA KEV catalog. Given the ease of exploitation and the potential for DoS, organizations using vulnerable versions of pyLoad-ng should prioritize patching.
Exploit Status
EPSS
0.01% (1% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-33314 is to immediately upgrade pyLoad-ng to version 0.5.0b3.dev97 or later, which contains the fix for the Host Header Spoofing vulnerability. If an immediate upgrade is not feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) or reverse proxy to filter requests and block those with suspicious Host headers. Specifically, configure the WAF to reject requests with Host headers that do not match the expected domain. Regularly review and update pyLoad-ng's configuration to ensure adherence to security best practices.
Update pyLoad to version 0.5.0b3.dev97 or higher. This corrects the origin validation and incorrect authentication vulnerability, preventing unauthorized access to Click'N'Load APIs and mitigating SSRF and DoS risks.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33314 is a Server-Side Request Forgery (SSRF) vulnerability affecting pyLoad-ng versions up to 0.5.0b3.dev96, allowing attackers to bypass local restrictions and potentially cause denial-of-service.
If you are running pyLoad-ng version 0.5.0b3.dev96 or earlier, you are potentially affected by this SSRF vulnerability.
Upgrade pyLoad-ng to version 0.5.0b3.dev97 or later to patch the vulnerability. Consider WAF rules as a temporary mitigation if upgrading is not immediately possible.
While no active exploitation has been publicly confirmed, the SSRF nature of the vulnerability suggests potential for exploitation, and organizations should prioritize patching.
Refer to the official pyLoad-ng project repository and associated communication channels for the latest advisory and security updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.