Server-side Request Forgery (SSRF) Affecting pyload-ng package, versions [,0.5.0b3.dev97)


Severity

Recommended
0.0
critical
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

Social Trends
EPSS
0.27% (19th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Server-side Request Forgery (SSRF) vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-PYTHON-PYLOADNG-15917099
  • published6 Apr 2026
  • disclosed4 Apr 2026
  • creditNozomu Sasaki (Paul)

Introduced: 4 Apr 2026

CVE-2026-35187  (opens in a new tab)
CWE-918  (opens in a new tab)

How to fix?

Upgrade pyload-ng to version 0.5.0b3.dev97 or higher.

Overview

pyload-ng is a The free and open-source Download Manager written in pure Python

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) in the parse_urls API function. An attacker can access internal network resources, read local files, enumerate file existence, interact with internal services, and exfiltrate data by supplying crafted URLs that leverage multiple protocols such as file://, gopher://, and dict://. This allows the attacker to retrieve sensitive information, scan internal ports, and interact with cloud metadata endpoints.

CVSS Base Scores

version 4.0
version 3.1