CVE-2026-35187

Summary

pyLoad: SSRF in parse_urls API endpoint via unvalidated URL parameter

Severity

high

EPSS

0.3% (p18)

Also known as

GHSA-2wvg-62qm-gj33

Published

2026-04-04

References

• https://github.com/pyload/pyload/security/advisories/GHSA-2wvg-62qm-gj33
• https://nvd.nist.gov/vuln/detail/CVE-2026-35187
• https://github.com/pyload/pyload/commit/4032e57d61d8f864e39f4dcfdb567527a50a9e1f

Related advisories

• CVE-2026-35459 — critical · PyPI/pyload-ng
• CVE-2026-33992 — critical · PyPI/pyload-ng
• CVE-2025-54802 — critical · PyPI/pyload-ng
• CVE-2025-53890 — critical · PyPI/pyload-ng
• CVE-2026-45348 — high · PyPI/pyload-ng
• CVE-2026-42313 — high · PyPI/pyload-ng
• CVE-2026-41133 — high · PyPI/pyload-ng
• CVE-2026-35464 — high · PyPI/pyload-ng

Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.

Summarize with AI

ChatGPTClaudePerplexity