CVE-2026-35459: pyLoad: SSRF filter bypass via HTTP redirect in BaseDownloader (Incomplete fix for CVE-2026-33992)

April 4, 2026

The fix for CVE-2026-33992 (GHSA-m74m-f7cr-432x) added IP validation to BaseDownloader.download() that checks the hostname of the initial download URL. However, pycurl is configured with FOLLOWLOCATION=1 and MAXREDIRS=10, causing it to automatically follow HTTP redirects. Redirect targets are never validated against the SSRF filter.

An authenticated user with ADD permission can bypass the SSRF fix by submitting a URL that redirects to an internal address.

References

github.com/advisories/GHSA-7gvf-3w72-p2pg
github.com/pyload/pyload
github.com/pyload/pyload/security/advisories/GHSA-7gvf-3w72-p2pg
nvd.nist.gov/vuln/detail/CVE-2026-33992
nvd.nist.gov/vuln/detail/CVE-2026-35459

Code Behaviors & Features

Detect and mitigate CVE-2026-35459 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →