CVE-2026-33314

Name of the Vulnerable Software and Affected Versions pyLoad versions prior to 0.5.0b3.dev97

Description A Host Header Spoofing issue in the @local check decorator allows unauthenticated external attackers to bypass local-only restrictions. This grants access to the Click'N'Load API endpoints, enabling attackers to remotely queue arbitrary downloads, potentially leading to Server-Side Request Forgery (SSRF) and Denial of Service (DoS). The @local check implementation relies on the user-controlled HTTP HOST header to verify the origin. Attackers can spoof the Host header to 127.0.0.1:9666, bypassing the IP address check and gaining access to protected functions. The affected API endpoints include: ''/flash/'' and ''/flash/'', ''/flash/add'', ''/flash/addcrypted'', ''/flash/addcrypted2'', ''/flashgot'' and ''/flashgot pyload'', and ''/flash/checkSupportForUrl''. An attacker can use a curl command to send a POST request to one of the affected endpoints, spoofing the Host header. This allows them to add arbitrary URLs to the download queue, potentially leading to SSRF or DoS.

Recommendations Update to pyLoad version 0.5.0b3.dev97 or later.