Platform
python
Component
pyload
Fixed in
0.5.1
CVE-2026-35187 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in pyLoad, a free and open-source download manager written in Python. This flaw allows authenticated users with ADD permission to make arbitrary HTTP/HTTPS requests, potentially exposing internal network resources and sensitive data. The vulnerability impacts versions 0.5.0b3.dev0 through 0.5.0b3.dev96, and a fix is available in version 0.5.0b3.dev96.
The SSRF vulnerability in pyLoad allows an authenticated attacker to initiate server-side requests to any URL, bypassing typical security controls. This can lead to several severe consequences. Attackers can access internal network resources that are not directly exposed to the internet, potentially including databases, configuration files, and other sensitive systems. The ability to use protocols like file://, gopher://, and dict:// expands the attack surface, enabling attackers to read local files on the server, interact with internal services, and even enumerate file existence. Exploitation could reveal credentials, compromise internal systems, or facilitate further attacks within the network.
This vulnerability was publicly disclosed on 2026-04-06. There is currently no indication of active exploitation campaigns targeting this vulnerability. No public proof-of-concept (PoC) code has been released at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. The CVSS score of 7.7 (HIGH) indicates a significant potential for exploitation if left unaddressed.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-35187 is to upgrade pyLoad to version 0.5.0b3.dev96 or later, which includes the necessary URL validation and protocol restriction fixes. If upgrading immediately is not possible, consider implementing temporary workarounds. Restrict access to the pyLoad API endpoint to only authorized users. Implement a Web Application Firewall (WAF) with rules to block requests to suspicious URLs or protocols. Carefully review and restrict the permissions granted to authenticated users within pyLoad, limiting their ability to add new URLs. Monitor pyLoad logs for unusual outbound requests that might indicate exploitation attempts.
Update to version 0.5.0b3.dev96 or higher to mitigate the SSRF vulnerability. This version implements URL validation and protocol restrictions to prevent unauthorized access to internal resources.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-35187 is a Server-Side Request Forgery vulnerability in pyLoad versions 0.5.0b3.dev0 through 0.5.0b3.dev96, allowing authenticated users to make arbitrary requests.
You are affected if you are using pyLoad versions 0.5.0b3.dev0 through 0.5.0b3.dev96 and have not upgraded to 0.5.0b3.dev96 or later.
Upgrade pyLoad to version 0.5.0b3.dev96 or later. Consider temporary workarounds like restricting API access and implementing WAF rules if immediate upgrade is not possible.
There is currently no indication of active exploitation campaigns targeting this vulnerability, but the HIGH severity score warrants immediate attention.
Refer to the pyLoad project's official website or GitHub repository for the latest security advisories and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.