CVE-2026-33992
⚪ Do wiadomości
Brak walidacji URL-i w pyLoad umożliwia ataki SSRF i wyciek danych infrastruktury.
CVSS
6.5
EPSS
0.1%
Exploit
poc
Vendor
pyload
Opis źródłowy (NVD)
pyLoad is a free and open-source download manager written in Python. Prior to version 0.5.0b3.dev97, PyLoad's download engine accepts arbitrary URLs without validation, enabling Server-Side Request Forgery (SSRF) attacks. An authenticated attacker can exploit this to access internal network services and exfiltrate cloud provider metadata. On DigitalOcean droplets, this exposes sensitive infrastructure data including droplet ID, network configuration, region, authentication keys, and SSH keys configured in user-data/cloud-init. Version 0.5.0b3.dev97 contains a patch.
exploit ssrf
Brak patcha
Źródła i daty
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 6.5 |
| CISA KEV (aktywnie wykorzystywane) | Nie |
| FIRST EPSS (prawdopodobieństwo exploita) | 0.1% |
| Opublikowano (NVD) | 2026-03-27 23:17:14 UTC |
| Ostatnia modyfikacja (NVD) | 2026-03-31 14:49:16 UTC |
Referencje
- https://github.com/pyload/pyload/commit/b76b6d4ee5e32d2118d26afdee1d0a9e57d4bfe8 (security-advisories@github.com) [Patch]
- https://github.com/pyload/pyload/security/advisories/GHSA-m74m-f7cr-432x (security-advisories@github.com) [Exploit, Vendor Advisory]