CVE-2026-35459

Name of the Vulnerable Software and Affected Versions: pyLoad versions 0.5.0b3.dev96 and earlier

Description: pyLoad contains a server-side request forgery (SSRF) vulnerability. The initial fix for CVE-2026-33992 added IP validation to the initial download URL, but HTTP redirects are not validated. An authenticated user with ADD permission can bypass the SSRF fix by submitting a URL that redirects to an internal address. The vulnerability allows access to cloud metadata endpoints, internal network services, and localhost services. The BaseDownloader.download() function and HTTPRequest class are involved in the vulnerability. The FOLLOWLOCATION option in pycurl is set to 1, and MAXREDIRS is set to 10, enabling automatic redirect following. The REDIR PROTOCOLS option is not restricted, allowing redirects to any protocol. The SSRF check only validates the initial URL, and redirect targets bypass the filter entirely.

Recommendations: Disable automatic redirect following in HTTPRequest. init () by setting self.c.setopt(pycurl.FOLLOWLOCATION, 0). Implement manual redirect following in the download logic with SSRF validation at each hop. Alternatively, restrict redirect protocols by setting self.c.setopt(pycurl.REDIR PROTOCOLS, pycurl.PROTO HTTP | pycurl.PROTO HTTPS) and add a pycurl callback to validate redirect destination IPs before following.