CVE-2026-33992: pyLoad: Server-Side Request Forgery via Download Link Submission Enables Cloud Metadata Exfiltration

March 27, 2026 (updated March 30, 2026)

PyLoad’s download engine accepts arbitrary URLs without validation, enabling Server-Side Request Forgery (SSRF) attacks. An authenticated attacker can exploit this to access internal network services and exfiltrate cloud provider metadata. On DigitalOcean droplets, this exposes sensitive infrastructure data including droplet ID, network configuration, region, authentication keys, and SSH keys configured in user-data/cloud-init.

References

github.com/advisories/GHSA-m74m-f7cr-432x
github.com/pyload/pyload
github.com/pyload/pyload/commit/b76b6d4ee5e32d2118d26afdee1d0a9e57d4bfe8
github.com/pyload/pyload/security/advisories/GHSA-m74m-f7cr-432x
nvd.nist.gov/vuln/detail/CVE-2026-33992

Code Behaviors & Features

Detect and mitigate CVE-2026-33992 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →