CVE-2026-35187
Received Received - Intake
Server-Side Request Forgery in pyLoad parse_urls API

Publication date: 2026-04-06

Last updated on: 2026-04-20

Assigner: GitHub, Inc.

Description
pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, the parse_urls API function in src/pyload/core/api/__init__.py fetches arbitrary URLs server-side via get_url(url) (pycurl) without any URL validation, protocol restriction, or IP blacklist. An authenticated user with ADD permission can make HTTP/HTTPS requests to internal network resources and cloud metadata endpoints, read local files via file:// protocol (pycurl reads the file server-side), interact with internal services via gopher:// and dict:// protocols, and enumerate file existence via error-based oracle (error 37 vs empty response).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-06
Last Modified
2026-04-20
Generated
2026-05-06
AI Q&A
2026-04-06
EPSS Evaluated
2026-05-05
NVD
CVE-2026-35187
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pyload-ng_project pyload-ng to 0.5.0b3.dev97 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-35187 is a Server-Side Request Forgery (SSRF) vulnerability in the pyLoad download manager, specifically in the parse_urls API function. This function fetches arbitrary URLs server-side without validating the URL, restricting protocols, or blacklisting IP addresses.

An authenticated user with ADD permission can exploit this by making HTTP/HTTPS requests to internal network resources and cloud metadata endpoints, read local files using the file:// protocol, interact with internal services via gopher:// and dict:// protocols, and enumerate file existence through error-based responses.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability in pyLoad allows an authenticated user with minimal privileges to perform server-side request forgery (SSRF) attacks that can lead to confidentiality loss by reading local files and accessing internal network resources, including cloud metadata endpoints.

Such unauthorized access and data disclosure can result in exposure of sensitive information, which may violate data protection regulations like GDPR and HIPAA that require strict controls on personal and sensitive data confidentiality.

Therefore, this vulnerability poses a significant risk to compliance with these standards by enabling potential data breaches and unauthorized internal network reconnaissance.


How can this vulnerability impact me? :

This vulnerability can have serious impacts including confidentiality loss, internal network reconnaissance, and potential data exfiltration.

  • An attacker can read sensitive local files on the server.
  • They can access internal network resources and cloud metadata endpoints, potentially exposing sensitive infrastructure information.
  • The attacker can interact with internal services such as Redis or memcached, which may lead to remote code execution.
  • They can perform internal port scanning and enumerate file existence, aiding further attacks.
  • Data can be exfiltrated out-of-band via DNS or HTTP callbacks.

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring for unusual or unauthorized HTTP/HTTPS requests initiated by authenticated users with ADD permissions to internal network resources, cloud metadata endpoints, or local file accesses via the file:// protocol.

Detection can include looking for signs of Server-Side Request Forgery (SSRF) such as requests to internal IP addresses (e.g., 169.254.169.254 for cloud metadata), or use of uncommon protocols like gopher:// and dict://.

Suggested commands to detect exploitation attempts include network monitoring commands and logs inspection, for example:

  • Use tcpdump or Wireshark to capture outgoing HTTP/HTTPS requests from the pyLoad server to internal IP ranges: tcpdump -i eth0 host 169.254.169.254 or tcpdump -i eth0 dst net 10.0.0.0/8
  • Check application logs for calls to the parse_urls API with suspicious URLs containing file://, gopher://, or dict:// protocols.
  • Use grep or similar tools to search pyLoad logs for error patterns indicating file existence enumeration or internal port scanning.
  • Monitor DNS logs for unusual outbound DNS queries that could indicate out-of-band data exfiltration.

What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include applying the official patch that enforces strict URL validation and protocol restrictions in the parse_urls function.

Specifically, the patch restricts URL schemes to only http and https, and validates that hostnames resolve exclusively to globally routable IP addresses, blocking private, loopback, link-local, or reserved IPs.

If patching is not immediately possible, restrict access to the pyLoad API to trusted users only, especially limiting those with ADD permissions.

Additionally, implement network-level controls such as firewall rules to block outgoing requests from the pyLoad server to internal IP ranges and cloud metadata endpoints.

Monitor and audit usage of the parse_urls API to detect and respond to suspicious activity promptly.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart