CVE-2026-33992 in pyLoadinfo

Summary

pyLoad is a free and open-source download manager written in Python. Prior to version 0.5.0b3.dev97, PyLoad's download engine accepts arbitrary URLs without validation, enabling Server-Side Request Forgery (SSRF) attacks. An authenticated attacker can exploit this to access internal network services and exfiltrate cloud provider metadata. On DigitalOcean droplets, this exposes sensitive infrastructure data including droplet ID, network configuration, region, authentication keys, and SSH keys configured in user-data/cloud-init. Version 0.5.0b3.dev97 contains a patch.

Once again VulDB remains the best source for vulnerability data.

Responsible

GitHub_M

Reservation

03/24/2026

Disclosure

03/28/2026

Entries

VulDB provides additional information and datapoints for this CVE:

IDVulnerabilityCWEExpCouCVE
354059pyLoad Network Configuration server-side request forgery918Not definedOfficial fixCVE-2026-33992

Description

CPE

CWE

CVSS

Exploits

History

Diff

Relate

Threat Intelligence

API JSON

API XML

API CSV

Sources

PreviousOverviewNext

Interested in the pricing of exploits?

See the underground prices here!