PatchSiren cyber security CVE debrief
CVE-2026-46561 pyload CVE debrief
CVE-2026-46561 is a Server-Side Request Forgery (SSRF) vulnerability in pyLoad, a free and open-source Python download manager. The flaw exists in versions prior to 0.5.0b3.dev100, where the PREREQFUNCTION-based private IP address validation was not applied to HTTPRequest, which is used by the parse_urls API. An authenticated attacker can exploit this by supplying a URL pointing to an attacker-controlled server that responds with an HTTP 302 redirect to an internal or private IP address. This bypasses the is_global_host() check performed on the initial URL, allowing the attacker to make requests to internal network resources that should be inaccessible. The vulnerability is classified as CWE-918 (Server-Side Request Forgery) and has a CVSS 3.1 score of 5.0 (MEDIUM severity). The issue was fixed in pyLoad version 0.5.0b3.dev100.
- Vendor
- pyload
- Product
- Unknown
- CVSS
- MEDIUM 5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-28
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-28
- Advisory updated
- 2026-05-29
Who should care
Organizations running pyLoad download manager instances, particularly those with multi-user deployments or exposed management interfaces. Security teams concerned with SSRF attack vectors and internal network reconnaissance. DevOps engineers maintaining pyLoad installations in containerized or cloud environments where metadata services may be accessible.
Technical summary
The pyLoad download manager's parse_urls API uses HTTPRequest without applying the PREREQFUNCTION-based private IP validation that exists elsewhere in the codebase. An authenticated attacker can submit a URL to an external attacker-controlled server that returns an HTTP 302 redirect response targeting an internal IP address (e.g., 192.168.x.x, 10.x.x.x, 172.16-31.x.x). Because is_global_host() only validates the initial URL and not the redirect destination, the application follows the redirect and makes requests to internal resources. This SSRF primitive could enable port scanning, access to internal services, or retrieval of sensitive metadata from cloud provider endpoints. The fix in 0.5.0b3.dev100 ensures the private IP check is applied to HTTPRequest operations.
Defensive priority
medium
Recommended defensive actions
- Upgrade pyLoad to version 0.5.0b3.dev100 or later to remediate this vulnerability
- Review and apply the PREREQFUNCTION-based private IP check to all HTTP request paths, including HTTPRequest used by parse_urls API
- Implement follow-redirect restrictions that re-validate destination IP addresses after each redirect hop
- Consider implementing network segmentation to limit internal resource exposure from application servers
- Audit application logs for suspicious URL patterns involving external domains that redirect to private IP ranges
- Review authentication controls for the parse_urls API and similar endpoints that accept user-supplied URLs
Evidence notes
Vulnerability description and fix version confirmed via GitHub Security Advisory GHSA-8rp3-xc6w-5qp5. CVSS vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N indicates network attack vector, low attack complexity, low privileges required, no user interaction, changed scope, and low confidentiality impact.
Official resources
-
CVE-2026-46561 CVE record
CVE.org
-
CVE-2026-46561 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-28