CVE-2026-46561

Published: May 28, 2026Modified: May 29, 2026Deferred

5.0

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Exploitability: 3.1 / Impact: 1.4

Source: security-advisories@github.com (Secondary)

Description

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the PREREQFUNCTION-based private IP check was not applied to HTTPRequest (used by the parse_urls API). An authenticated attacker can supply a URL pointing to an attacker-controlled server that responds with a 302 redirect to an internal/private IP address, bypassing the is_global_host() check on the initial URL. This vulnerability is fixed in 0.5.0b3.dev100.

Related CWEs

CWE-918

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References (2)

https://github.com/pyload/pyload/security/advisories/GHSA-8rp3-xc6w-5qp5

Source: security-advisories@github.com

https://github.com/pyload/pyload/security/advisories/GHSA-8rp3-xc6w-5qp5

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

Timeline

No history available yet.