Vulnerability Details CVE-2026-33314
pyLoad is a free and open-source download manager written in Python. Prior to version 0.5.0b3.dev97, a Host Header Spoofing vulnerability in the @local_check decorator allows unauthenticated external attackers to bypass local-only restrictions. This grants access to the Click'N'Load API endpoints, enabling attackers to remotely queue arbitrary downloads, leading to Server-Side Request Forgery (SSRF) and Denial of Service (DoS). This issue has been patched in version 0.5.0b3.dev97.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 0.3%
CVSS Severity
CVSS v3 Score 6.5
Products affected by CVE-2026-33314
-
cpe:2.3:a:pyload-ng_project:pyload-ng:-
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a5.dev528
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a5.dev532
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a5.dev535
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a5.dev536
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a5.dev537
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a5.dev539
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a5.dev540
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a5.dev545
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a5.dev562
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a5.dev564
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a5.dev565
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a6.dev570
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a6.dev578
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a6.dev587
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a7.dev596
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a8.dev602
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a9.dev615
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a9.dev629
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a9.dev632
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a9.dev641
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a9.dev643
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a9.dev655
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a9.dev806
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b1.dev1
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b1.dev2
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b1.dev3
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b1.dev4
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b1.dev5
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b2.dev10
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b2.dev11
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b2.dev12
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b2.dev9
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev13
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev14
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev17
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev18
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev19
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev20
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev21
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev22
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev24
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev26
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev27
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev28
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev29
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev30
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev31
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev32
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev33
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev34
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev35
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev38
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev39
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev40
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev41
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev42
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev43
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev44
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev45
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev46
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev47
-
cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev78