CVE-2026-35459
Published: 06 April 2026
Summary
CVE-2026-35459 is a critical-severity SSRF (CWE-918) vulnerability in Pyload-Ng Project Pyload-Ng. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Remote System Discovery (T1018); ranked at the 13.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of user-submitted download URLs, including redirect targets, to block SSRF access to internal addresses.
Mandates timely identification, reporting, and remediation of the specific SSRF redirect bypass flaw in pyLoad via vendor patches.
Enforces boundary protection to monitor and restrict outbound connections from the pyLoad server to internal network resources.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF vulnerability enables forging requests to internal network addresses from the server, directly facilitating remote system discovery (T1018) and network service discovery (T1046) via probing of internal hosts and services.
NVD Description
pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, pyLoad has a server-side request forgery (SSRF) vulnerability. The fix for CVE-2026-33992 added IP validation to BaseDownloader.download() that checks the hostname of the initial download…
more
URL. However, pycurl is configured with FOLLOWLOCATION=1 and MAXREDIRS=10, causing it to automatically follow HTTP redirects. Redirect targets are never validated against the SSRF filter. An authenticated user with ADD permission can bypass the SSRF fix by submitting a URL that redirects to an internal address.
Deeper analysisAI
CVE-2026-35459 is a server-side request forgery (SSRF) vulnerability, classified under CWE-918, affecting pyLoad, a free and open-source download manager written in Python. The issue impacts versions 0.5.0b3.dev96 and earlier. It arises as a bypass of the SSRF fix for CVE-2026-33992, which added IP validation in the BaseDownloader.download() method to check the hostname of the initial download URL. However, pycurl is configured with FOLLOWLOCATION=1 and MAXREDIRS=10, allowing automatic following of HTTP redirects without validating redirect targets against the SSRF filter.
An authenticated user with ADD permission can exploit the vulnerability by submitting a malicious URL that redirects to an internal address, bypassing the SSRF protections. This enables the attacker to forge requests to internal network resources from the pyLoad server. The vulnerability has a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), reflecting high impacts on confidentiality and integrity.
Mitigation details are available in the pyLoad GitHub security advisory at https://github.com/pyload/pyload/security/advisories/GHSA-7gvf-3w72-p2pg and the fixing commit at https://github.com/pyload/pyload/commit/33c55da084320430edfd941b60e3da0eb1be9443.
Details
- CWE(s)