Lucene search
K

4 matches found

OSV
OSV
added 2026/06/29 11:50 a.m.5 views

PYSEC-2026-283 ArchiveBox Vulnerable to RCE via unvalidated per-crawl config overrides in AddView

The /add/ endpoint AddView in core/views.py accepts a config JSON field that gets merged into the crawl config without validation. This config is exported as environment variables when archive plugins run, allowing injection of arbitrary tool arguments to achieve RCE. When PUBLICADDVIEW=True comm...

9.8CVSS6.4AI score0.00404EPSS
Exploits1References5
Snyk
Snyk
added 2026/05/04 9:30 p.m.11 views

Arbitrary Argument Injection

Overview archivebox is a The self-hosted internet archive. Affected versions of this package are vulnerable to Arbitrary Argument Injection via the AddView class. An attacker can execute arbitrary code on the server by submitting specially crafted configuration overrides to the /add/ endpoint,...

9.8CVSS6.3AI score0.00404EPSS
Exploits1References2
OSV
OSV
added 2026/05/04 9:30 p.m.4 views

GHSA-3H23-7824-PJ8R ArchiveBox Vulnerable to RCE via unvalidated per-crawl config overrides in AddView

The /add/ endpoint AddView in core/views.py accepts a config JSON field that gets merged into the crawl config without validation. This config is exported as environment variables when archive plugins run, allowing injection of arbitrary tool arguments to achieve RCE. When PUBLICADDVIEW=True comm...

9.8CVSS6.6AI score0.00404EPSS
Exploits1References5
Github Security Blog
Github Security Blog
added 2026/05/04 9:30 p.m.10 views

ArchiveBox Vulnerable to RCE via unvalidated per-crawl config overrides in AddView

The /add/ endpoint AddView in core/views.py accepts a config JSON field that gets merged into the crawl config without validation. This config is exported as environment variables when archive plugins run, allowing injection of arbitrary tool arguments to achieve RCE. When PUBLICADDVIEW=True comm...

9.8CVSS6.6AI score0.00404EPSS
Exploits1References5Affected Software1
Rows per page
Query Builder