{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33992", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-24T22:20:06.211Z", "datePublished": "2026-03-27T22:12:39.606Z", "dateUpdated": "2026-03-30T18:29:06.744Z"}, "containers": {"cna": {"title": "pyLoad: Server-Side Request Forgery via Download Link Submission Enables Cloud Metadata Exfiltration", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/pyload/pyload/security/advisories/GHSA-m74m-f7cr-432x", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-m74m-f7cr-432x"}, {"name": "https://github.com/pyload/pyload/commit/b76b6d4ee5e32d2118d26afdee1d0a9e57d4bfe8", "tags": ["x_refsource_MISC"], "url": "https://github.com/pyload/pyload/commit/b76b6d4ee5e32d2118d26afdee1d0a9e57d4bfe8"}], "affected": [{"vendor": "pyload", "product": "pyload", "versions": [{"version": "< 0.5.0b3.dev97", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T22:12:39.606Z"}, "descriptions": [{"lang": "en", "value": "pyLoad is a free and open-source download manager written in Python. Prior to version 0.5.0b3.dev97, PyLoad's download engine accepts arbitrary URLs without validation, enabling Server-Side Request Forgery (SSRF) attacks. An authenticated attacker can exploit this to access internal network services and exfiltrate cloud provider metadata. On DigitalOcean droplets, this exposes sensitive infrastructure data including droplet ID, network configuration, region, authentication keys, and SSH keys configured in user-data/cloud-init. Version 0.5.0b3.dev97 contains a patch."}], "source": {"advisory": "GHSA-m74m-f7cr-432x", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/pyload/pyload/security/advisories/GHSA-m74m-f7cr-432x", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T18:29:03.216805Z", "id": "CVE-2026-33992", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T18:29:06.744Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33992", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-30T18:29:03.216805Z"}}}], "references": [{"url": "https://github.com/pyload/pyload/security/advisories/GHSA-m74m-f7cr-432x", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T18:28:40.803Z"}}], "cna": {"title": "pyLoad: Server-Side Request Forgery via Download Link Submission Enables Cloud Metadata Exfiltration", "source": {"advisory": "GHSA-m74m-f7cr-432x", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "pyload", "product": "pyload", "versions": [{"status": "affected", "version": "< 0.5.0b3.dev97"}]}], "references": [{"url": "https://github.com/pyload/pyload/security/advisories/GHSA-m74m-f7cr-432x", "name": "https://github.com/pyload/pyload/security/advisories/GHSA-m74m-f7cr-432x", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/pyload/pyload/commit/b76b6d4ee5e32d2118d26afdee1d0a9e57d4bfe8", "name": "https://github.com/pyload/pyload/commit/b76b6d4ee5e32d2118d26afdee1d0a9e57d4bfe8", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "pyLoad is a free and open-source download manager written in Python. Prior to version 0.5.0b3.dev97, PyLoad's download engine accepts arbitrary URLs without validation, enabling Server-Side Request Forgery (SSRF) attacks. An authenticated attacker can exploit this to access internal network services and exfiltrate cloud provider metadata. On DigitalOcean droplets, this exposes sensitive infrastructure data including droplet ID, network configuration, region, authentication keys, and SSH keys configured in user-data/cloud-init. Version 0.5.0b3.dev97 contains a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T22:12:39.606Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33992", "state": "PUBLISHED", "dateUpdated": "2026-03-30T18:29:06.744Z", "dateReserved": "2026-03-24T22:20:06.211Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-27T22:12:39.606Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pyload:pyload:0.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "E5A06D79-6D64-41FB-9040-17E9630DF4E9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "pyLoad is a free and open-source download manager written in Python. Prior to version 0.5.0b3.dev97, PyLoad's download engine accepts arbitrary URLs without validation, enabling Server-Side Request Forgery (SSRF) attacks. An authenticated attacker can exploit this to access internal network services and exfiltrate cloud provider metadata. On DigitalOcean droplets, this exposes sensitive infrastructure data including droplet ID, network configuration, region, authentication keys, and SSH keys configured in user-data/cloud-init. Version 0.5.0b3.dev97 contains a patch."}], "id": "CVE-2026-33992", "lastModified": "2026-03-31T14:49:16.640", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T23:17:14.070", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/pyload/pyload/commit/b76b6d4ee5e32d2118d26afdee1d0a9e57d4bfe8"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-m74m-f7cr-432x"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-m74m-f7cr-432x"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,0.5.0b3.dev97)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "pyload", "source": "cna", "vendor": "pyload"}, "product": "pyload", "vendor": "pyload"}], "analysis": {"en": {"generated_at": "2026-03-31T16:25:51.586830+00:00", "value": {"mitigation_remediation": ["Update pyLoad to version 0.5.0b3.dev97 or later", "Ensure that the download engine validates URLs and accepts only trusted domains", "If possible, restrict the pyLoad server\u2019s outbound network access to prevent unauthorized internal traffic"], "summary": {"action": "Apply Patch", "impact": "Server\u2011Side Request Forgery that exposes internal network data and cloud metadata"}, "threat_synthesis": {"affected_systems": "pyLoad download manager as distributed in releases prior to 0.5.0b3.dev97, including version 0.5.0. The vulnerability applies to all installations that use the default download engine without URL validation. The affected product is the pyLoad pyload bundle as identified by the CPE cpe:2.3:a:pyload:pyload:0.5.0.", "description_and_impact": "pyLoad\u2019s download engine accepted arbitrary URLs without validation before version 0.5.0b3.dev97, allowing a Server\u2011Side Request Forgery vulnerability. An attacker who could authenticate to the application could make the server request any internal or external resource, enabling access to sensitive internal network services and leakage of cloud metadata such as droplet identifiers, network settings, region, and SSH keys. This constitutes a severe breach of confidentiality and potential compromise of the infrastructure.", "risk_and_exploitability": "With a CVSS base score of 9.3 the score reflects high impact and exploitation ease. The EPSS score is below 1\u202f% indicating a low probability of widespread exploitation, and the vulnerability is not yet in CISA\u2019s KEV list. The attack vector requires an authenticated user\u2019s session, which is inferred from the description. Once authenticated, the attacker can trigger SSRF via the download link submission interface, causing the server to perform outbound requests and retrieve cloud metadata."}}}}, "created": "2026-03-29T20:29:27.915110+00:00", "updated": "2026-03-31T20:00:35.185758+00:00", "vendors": ["pyload", "pyload$PRODUCT$pyload"]}