CVE-2026-33992

Name of the Vulnerable Software and Affected Versions pyLoad versions prior to 0.5.0b3.dev97

Description pyLoad's download engine accepts arbitrary URLs without validation, enabling Server-Side Request Forgery (SSRF) attacks. An authenticated attacker can exploit this to access internal network services and exfiltrate cloud provider metadata. On DigitalOcean droplets, this exposes sensitive infrastructure data including droplet ID, network configuration, region, authentication keys, and SSH keys configured in user-data/cloud-init. The vulnerability exists in the download package functionality accessible via the /api/addPackage endpoint, where user-supplied URLs are passed to the download engine without validation. The affected code is located in src/pyload/webui/app/blueprints/api blueprint.py. The download engine in src/pyload/core/managers/download.py accepts any URL scheme and initiates HTTP requests to arbitrary destinations. Exploitation involves submitting a malicious URL, such as http://169.254.169.254/metadata/v1.json, to retrieve cloud metadata. This can lead to cloud metadata theft, lateral movement, credential exposure, and infrastructure mapping.

Recommendations Versions prior to 0.5.0b3.dev97: Update to version 0.5.0b3.dev97 or later. Implement URL validation in the download engine. Whitelist allowed URL schemes (http/https only). Block requests to private IP ranges (RFC 1918, link-local addresses). Block cloud metadata endpoints (169.254.169.254, metadata.google.internal, etc.).