Back to overview

CVE-2026-56260

CRITICAL
9.1
CVSS 3.1
Description
Crawl4AI before 0.8.7 contains an arbitrary file write vulnerability in the Docker API server's /screenshot and /pdf endpoints. The output_path parameter accepts arbitrary filesystem paths without validation, allowing an attacker to supply absolute or path-traversal values to write to any location writable by the application's user, overwriting server files and causing denial of service.

Metadata

CVE ID
CVE-2026-56260
State
PUBLISHED
Assigner
VulnCheck
Reserved
2026-06-19 21:56 UTC
Published
2026-07-12 12:06 UTC
Last updated
2026-07-12 12:06 UTC
Primary CWE
CWE-22
Improper Limitation of a Pathname to a Restricted Directory …
Vendor / Product
Crawl4AI / Crawl4AI
Sources
cve.org  ·  NVD

Severity & Metrics

9.1 CRITICAL CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Affected products (1)
VendorProductPlatformVersions
Crawl4AI Crawl4AI 0 < 0.8.7, 0.8.7
Weakness (CWE)
CWESourceDescription
CWE-22 cna Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSS scores (2)
ScoreSeverityVersionSourceVector
9.1 CRITICAL 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
8.8 HIGH 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N
References (3)
Back to overview