Platform
python
Component
pyload-ng
Fixed in
0.5.1
0.5.1
CVE-2026-35459 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in pyload-ng, a Python-based download manager. This flaw allows authenticated users with ADD permission to bypass the existing IP validation mechanism by exploiting HTTP redirects. The vulnerability affects versions of pyload-ng up to and including 0.5.0b3.dev96, and a fix is available in a subsequent release.
The SSRF vulnerability in pyload-ng poses a significant risk because it allows an attacker to craft a malicious URL that redirects to an internal resource. Because pycurl is configured to follow redirects, the initial URL validation is bypassed. This can lead to unauthorized access to internal services, data exfiltration, and potentially even remote code execution if the internal resources are vulnerable. The impact is amplified by the fact that the attacker only needs ADD permission, a relatively low privilege level within the pyload-ng environment. This vulnerability shares similarities with other SSRF exploits where redirect chains are used to circumvent security controls.
CVE-2026-35459 was publicly disclosed on 2026-04-04. The vulnerability's severity is rated as CRITICAL (CVSS 9.5). There is no indication of this vulnerability being added to the CISA KEV catalog at the time of writing. Public proof-of-concept exploits are not currently known, but the ease of exploitation due to the redirect bypass makes it likely that such exploits will emerge. Active campaigns are not currently confirmed.
Exploit Status
EPSS
0.03% (10% percentile)
The primary mitigation for CVE-2026-35459 is to upgrade to a patched version of pyload-ng that includes the corrected IP validation logic. If upgrading immediately is not possible, consider implementing temporary workarounds. One approach is to configure a Web Application Firewall (WAF) or proxy server to block requests with excessive redirects or those targeting internal IP addresses. Another workaround involves restricting the domains or IP addresses that pyload-ng is allowed to connect to. After upgrading, verify the fix by attempting to submit a URL that redirects to an internal resource; the request should be blocked by the updated validation logic.
Update pyLoad to a patched version. The vulnerability is due to inadequate validation of HTTP redirects after a previous fix. Refer to the official pyload documentation for specific upgrade instructions and ensure the environment is updated.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-35459 is a critical SSRF vulnerability in pyload-ng versions up to 0.5.0b3.dev96, allowing attackers to bypass IP validation via HTTP redirects and access internal resources.
You are affected if you are using pyload-ng version 0.5.0b3.dev96 or earlier. Check your version and upgrade immediately.
Upgrade to a patched version of pyload-ng that includes the corrected IP validation logic. If immediate upgrade is not possible, implement WAF rules or restrict allowed domains.
While no active exploitation campaigns have been confirmed, the ease of exploitation makes it likely that exploits will emerge. Monitor your systems closely.
Refer to the official pyload-ng project's website or GitHub repository for the latest security advisories and updates related to CVE-2026-35459.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.