CVE-2026-33992 CRITICAL

CVE-2026-33992: pyLoad: Server-Side Request Forgery via Download Link Submission Enables Cloud Metadata Exfiltration

Vendor Pyload
Product pyload
Weakness CWE-918 · SSRF
Published March 27, 2026
Last update March 30, 2026
View on NVD All CVEs

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

What the vulnerability does

01Description

pyLoad is a free and open-source download manager written in Python. Prior to version 0.5.0b3.dev97, PyLoad's download engine accepts arbitrary URLs without validation, enabling Server-Side Request Forgery (SSRF) attacks. An authenticated attacker can exploit this to access internal network services and exfiltrate cloud provider metadata. On DigitalOcean droplets, this exposes sensitive infrastructure data including droplet ID, network configuration, region, authentication keys, and SSH keys configured in user-data/cloud-init. Version 0.5.0b3.dev97 contains a patch.

Key dates

02Disclosure timeline

March 27, 2026 CVE published
March 30, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-22772 Fulcio vulnerable to Server-Side Request Forgery (SSRF) via MetaIssuer Regex Bypass CVE-2023-38515 WordPress Church Admin Plugin <= 3.7.56 is vulnerable to Server Side Request Forgery (SSRF) CVE-2024-23654 discourse-ai admin-initiated SSRF when interacting with AI services CVE-2012-10018 Mapplic Lite and Mapplic <= (Various Versions) - Server Side Request Forgery to Cross-Site Scirpting CVE-2023-33184 Blind SSRF in the Nextcloud Mail app on avatar endpoint