pyload-ng
Corrigido em
0.5.1
0.5.0b3.dev97
CVE-2026-33314 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in pyLoad-ng, a free and open-source download manager written in Python. This flaw allows unauthenticated attackers to bypass local-only restrictions, potentially leading to denial-of-service and unauthorized access. The vulnerability impacts versions of pyLoad-ng up to and including 0.5.0b3.dev96, and a patch is available in version 0.5.0b3.dev97.
The SSRF vulnerability in pyLoad-ng arises from a Host Header Spoofing issue within the @local_check decorator. An attacker can exploit this by crafting malicious requests that bypass the intended local-only restrictions. Successful exploitation grants access to the Click'N'Load API endpoints, effectively allowing the attacker to remotely queue arbitrary downloads. This can lead to a denial-of-service condition by overwhelming the server with requests or potentially enabling attackers to download sensitive files accessible to the server. The impact is amplified by the unauthenticated nature of the vulnerability, meaning no prior authentication is required to exploit it.
This vulnerability was publicly disclosed on 2026-03-19. No public proof-of-concept (PoC) code has been released at the time of writing, but the SSRF nature of the vulnerability makes it likely that a PoC will emerge. The vulnerability is not currently listed on the CISA KEV catalog. Given the ease of exploitation and the potential for DoS, organizations using vulnerable versions of pyLoad-ng should prioritize patching.
Organizations and individuals utilizing pyLoad-ng for download management, particularly those running instances accessible from external networks, are at risk. Shared hosting environments where pyLoad-ng is installed alongside other applications are also vulnerable, as a successful exploit could potentially compromise other services on the same server.
• python / server:
import requests
import re
def check_pyload_version(url):
try:
response = requests.get(f'{url}/api/version')
response.raise_for_status()
version = response.json().get('version', 'unknown')
if re.match(r'^0\.5\.0b3\.dev[0-9]+$', version):
return True
return False
except requests.exceptions.RequestException:
return False
# Example usage
url = 'http://your-pyload-instance' # Replace with your pyload instance URL
if check_pyload_version(url):
print('Vulnerable version detected!')
else:
print('Version is likely patched.')• generic web:
curl -I http://your-pyload-instance/api/ | grep Hostdisclosure
patch
Status do Exploit
EPSS
0.01% (percentil 1%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2026-33314 is to immediately upgrade pyLoad-ng to version 0.5.0b3.dev97 or later, which contains the fix for the Host Header Spoofing vulnerability. If an immediate upgrade is not feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) or reverse proxy to filter requests and block those with suspicious Host headers. Specifically, configure the WAF to reject requests with Host headers that do not match the expected domain. Regularly review and update pyLoad-ng's configuration to ensure adherence to security best practices.
Atualize pyLoad para a versão 0.5.0b3.dev97 ou superior. Isso corrige a vulnerabilidade de validação de origem e autenticação incorreta, evitando o acesso não autorizado às API Click'N'Load e mitigando os riscos de SSRF e DoS.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-33314 is a Server-Side Request Forgery (SSRF) vulnerability affecting pyLoad-ng versions up to 0.5.0b3.dev96, allowing attackers to bypass local restrictions and potentially cause denial-of-service.
If you are running pyLoad-ng version 0.5.0b3.dev96 or earlier, you are potentially affected by this SSRF vulnerability.
Upgrade pyLoad-ng to version 0.5.0b3.dev97 or later to patch the vulnerability. Consider WAF rules as a temporary mitigation if upgrading is not immediately possible.
While no active exploitation has been publicly confirmed, the SSRF nature of the vulnerability suggests potential for exploitation, and organizations should prioritize patching.
Refer to the official pyLoad-ng project repository and associated communication channels for the latest advisory and security updates.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo requirements.txt e descubra na hora se você está afetado.