CVE-2026-35187

Name of the Vulnerable Software and Affected Versions pyLoad versions 0.5.0b3.dev96 and earlier

Description pyLoad, a Python-based download manager, has an issue in the parse urls API function located in src/pyload/core/api/ init .py. This function retrieves URLs server-side using get url(url) (pycurl) without validating the URL, restricting protocols, or implementing an IP blacklist. An authenticated user with ADD permission can make HTTP/HTTPS requests to internal network resources and cloud metadata endpoints. They can also read local files via the file:// protocol, interact with internal services using gopher:// and dict:// protocols, and enumerate file existence through an error-based oracle. The get url() function is used without any restrictions, allowing access to various protocols and internal resources.

Recommendations Restrict allowed protocols and validate target addresses. Implement a function like is safe url() to check if the URL scheme is 'http' or 'https', and verify that the hostname resolves to a non-private, non-loopback, and non-reserved IP address before making the request.