CVEDB API

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2026-35187

pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, the parse_urls API function in src/pyload/core/api/__init__.py fetches arbitrary URLs server-side via get_url(url) (pycurl) without any URL validation, protocol restriction, or IP blacklist. An authenticated user with ADD permission can make HTTP/HTTPS requests to internal network resources and cloud metadata endpoints, read local files via file:// protocol (pycurl reads the file server-side), interact with internal services via gopher:// and dict:// protocols, and enumerate file existence via error-based oracle (error 37 vs empty response).

Exploit prediction scoring system (EPSS) score

EPSS Score 0.0

EPSS Ranking 8.9%

CVSS Severity

CVSS v3 Score 7.7

References

Products affected by CVE-2026-35187

Pyload-Ng Project » Pyload-Ng » Version: N/A

cpe:2.3:a:pyload-ng_project:pyload-ng:-
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0a5.dev528

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a5.dev528
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0a5.dev532

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a5.dev532
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0a5.dev535

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a5.dev535
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0a5.dev536

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a5.dev536
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0a5.dev537

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a5.dev537
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0a5.dev539

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a5.dev539
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0a5.dev540

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a5.dev540
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0a5.dev545

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a5.dev545
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0a5.dev562

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a5.dev562
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0a5.dev564

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a5.dev564
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0a5.dev565

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a5.dev565
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0a6.dev570

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a6.dev570
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0a6.dev578

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a6.dev578
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0a6.dev587

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a6.dev587
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0a7.dev596

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a7.dev596
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0a8.dev602

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a8.dev602
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0a9.dev615

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a9.dev615
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0a9.dev629

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a9.dev629
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0a9.dev632

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a9.dev632
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0a9.dev641

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a9.dev641
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0a9.dev643

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a9.dev643
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0a9.dev655

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a9.dev655
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0a9.dev806

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0a9.dev806
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b1.dev1

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b1.dev1
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b1.dev2

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b1.dev2
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b1.dev3

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b1.dev3
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b1.dev4

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b1.dev4
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b1.dev5

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b1.dev5
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b2.dev10

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b2.dev10
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b2.dev11

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b2.dev11
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b2.dev12

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b2.dev12
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b2.dev9

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b2.dev9
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b3.dev13

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev13
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b3.dev14

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev14
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b3.dev17

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev17
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b3.dev18

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev18
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b3.dev19

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev19
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b3.dev20

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev20
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b3.dev21

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev21
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b3.dev22

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev22
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b3.dev24

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev24
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b3.dev26

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev26
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b3.dev27

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev27
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b3.dev28

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev28
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b3.dev29

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev29
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b3.dev30

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev30
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b3.dev31

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev31
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b3.dev32

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev32
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b3.dev33

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev33
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b3.dev34

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev34
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b3.dev35

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev35
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b3.dev38

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev38
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b3.dev39

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev39
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b3.dev40

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev40
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b3.dev41

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev41
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b3.dev42

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev42
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b3.dev43

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev43
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b3.dev44

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev44
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b3.dev45

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev45
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b3.dev46

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev46
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b3.dev47

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev47
Pyload-Ng Project » Pyload-Ng » Version: 0.5.0b3.dev78

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev78

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2026-35187

Products

Pricing

Contact Us