CVE-2026-46561

Name of the Vulnerable Software and Affected Versions pyLoad versions prior to 0.5.0b3.dev100

Description An authenticated attacker can perform Server-Side Request Forgery (SSRF) by supplying a URL to the 'parse urls' API endpoint that points to a server under their control. This server can respond with a 302 redirect to an internal or private IP address, bypassing the is global host() check performed on the initial URL. This occurs because the HTTPRequest class, used by the get url() function, has the allow private ip variable set to True by default, which causes the pre request callback() function to skip the private IP validation during redirects.

This issue can be exploited to access internal services on private networks, localhost services, or cloud metadata endpoints (such as AWS IMDSv1), potentially leaking IAM credentials, instance metadata, and secrets.

Recommendations Update to version 0.5.0b3.dev100 or later.