Lucene search
K

104 matches found

NVD
NVD
added 3 days ago14 views

CVE-2026-56259

Crawl4AI before 0.8.8 contains credential exfiltration vulnerabilities in the Docker API server that allow attackers to redirect LLM API calls to attacker-controlled endpoints and read arbitrary environment variables. Attackers can exploit the unauthenticated /md, /llm, and /llm/job endpoints by...

8.8CVSS0.00268EPSS
Exploits0References2
EUVD
EUVD
added 3 days ago10 views

EUVD-2026-43227

Crawl4AI before 0.8.7 contains an arbitrary file write vulnerability in the Docker API server's /screenshot and /pdf endpoints. The outputpath parameter accepts arbitrary filesystem paths without validation, allowing an attacker to supply absolute or path-traversal values to write to any location...

9.1CVSS6.2AI score0.00421EPSS
Exploits0References3
CVE
CVE
added 3 days ago18 views

CVE-2026-56260

CVE-2026-56260 affects Crawl4AI

9.1CVSS6.2AI score0.00421EPSS
Exploits0References3Affected Software1
EUVD
EUVD
added 3 days ago6 views

EUVD-2026-43226

Crawl4AI before 0.8.8 contains credential exfiltration vulnerabilities in the Docker API server that allow attackers to redirect LLM API calls to attacker-controlled endpoints and read arbitrary environment variables. Attackers can exploit the unauthenticated /md, /llm, and /llm/job endpoints by...

8.8CVSS6.2AI score0.00268EPSS
Exploits0References2
OSV
OSV
added 3 days ago3 views

CVE-2026-56259 Crawl4AI - LLM Credential Exfiltration via base_url and Environment Variable Resolution

Crawl4AI before 0.8.8 contains credential exfiltration vulnerabilities in the Docker API server that allow attackers to redirect LLM API calls to attacker-controlled endpoints and read arbitrary environment variables. Attackers can exploit the unauthenticated /md, /llm, and /llm/job endpoints by...

8.8CVSS6.2AI score0.00268EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 3 days ago9 views

PT-2026-57551

Name of the Vulnerable Software and Affected Versions Crawl4AI versions prior to 0.8.7 Description An arbitrary file write issue exists in the Docker API server. The '/screenshot' and '/pdf' endpoints do not validate the output path parameter, which allows an attacker to use absolute paths or...

9.1CVSS6.2AI score0.00421EPSS
Exploits0References8
NVD
NVD
added 5 days ago7 views

CVE-2026-56261

Crawl4AI before 0.8.7 contains a server-side request forgery SSRF vulnerability in the Docker API server's /crawl/job and /llm/job endpoints, which accept webhook URLs without destination validation. An attacker can supply webhook URLs pointing to private or internal IP ranges, Docker networks, o...

9.2CVSS0.00371EPSS
Exploits0References3
Cvelist
Cvelist
added 5 days ago32 views

CVE-2026-56261 Crawl4AI - Server-Side Request Forgery via Webhook URLs

Crawl4AI before 0.8.7 contains a server-side request forgery SSRF vulnerability in the Docker API server's /crawl/job and /llm/job endpoints, which accept webhook URLs without destination validation. An attacker can supply webhook URLs pointing to private or internal IP ranges, Docker networks, o...

9.2CVSS0.00371EPSS
Exploits0References3
EUVD
EUVD
added 5 days ago7 views

EUVD-2026-42880

Crawl4AI before 0.8.7 contains a server-side request forgery SSRF vulnerability in the Docker API server's /crawl/job and /llm/job endpoints, which accept webhook URLs without destination validation. An attacker can supply webhook URLs pointing to private or internal IP ranges, Docker networks, o...

9.2CVSS6.1AI score0.00371EPSS
Exploits0References3
CVE
CVE
added 5 days ago11 views

CVE-2026-56261

CVE-2026-56261 affects Crawl4AI prior to 0.8.7. The Docker API server endpoints /crawl/job and /llm/job accept webhook URLs without destination validation, allowing SSRF to private/internal IP ranges, Docker networks, or cloud metadata endpoints (e.g., 169.254.169.254). Potential impact is exposu...

9.2CVSS6.1AI score0.00371EPSS
Exploits0References3Affected Software1
Cvelist
Cvelist
added 2026/07/06 8:16 p.m.36 views

CVE-2026-57572 Crawl4AI: Unauthenticated RCE via Chromium launch-argument injection in browser_config.extra_args

Crawl4AI is an open-source LLM-friendly web crawler and scraper. Prior to 0.9.0, the Docker API server accepted request-supplied browserconfig.extraargs, which flowed into Chromium's launch arguments. An attacker could inject Chromium switches that replace a child-process launch command together...

10CVSS0.00523EPSS
Exploits0References2
OSV
OSV
added 2026/07/06 8:11 p.m.4 views

CVE-2026-57573 Crawl4AI unauthenticated SSRF in Docker streaming crawl endpoint

Crawl4AI is an open-source LLM-friendly web crawler and scraper. Prior to 0.9.0, the Docker API server applied its SSRF destination check on the non-streaming /crawl path but not on the streaming path. handlestreamcrawlrequest passed seed URLs straight to the crawler with no destination validatio...

8.6CVSS6AI score0.00262EPSS
Exploits0References4
NVD
NVD
added 2026/07/06 1:16 a.m.9 views

CVE-2026-14784

A vulnerability was identified in vxcontrol PentAGI up to 2.1.0. This affects an unknown function of the file backend/pkg/docker/client.go of the component Docker API. The manipulation leads to sandbox issue. The attack may be initiated remotely. The pull request to fix this issue awaits acceptan...

6.5CVSS0.00228EPSS
Exploits0References7
Cvelist
Cvelist
added 2026/07/06 12:0 a.m.36 views

CVE-2026-14784 vxcontrol PentAGI Docker API client.go sandbox

A vulnerability was identified in vxcontrol PentAGI up to 2.1.0. This affects an unknown function of the file backend/pkg/docker/client.go of the component Docker API. The manipulation leads to sandbox issue. The attack may be initiated remotely. The pull request to fix this issue awaits acceptan...

6.5CVSS0.00228EPSS
Exploits0References7
CVE
CVE
added 2026/07/06 12:0 a.m.12 views

CVE-2026-14784

CVE-2026-14784 affects vxcontrol PentAGI up to 2.1.0, involving the Docker API client (backend/pkg/docker/client.go) and a sandbox issue in an unknown function. The advisory notes a remote-initiated attack vector, with a pull request to fix this issue awaiting acceptance. There are no details in ...

6.5CVSS6.2AI score0.00228EPSS
Exploits0References7
OSV
OSV
added 2026/07/06 12:0 a.m.2 views

CVE-2026-14784 vxcontrol PentAGI Docker API client.go sandbox

A vulnerability was identified in vxcontrol PentAGI up to 2.1.0. This affects an unknown function of the file backend/pkg/docker/client.go of the component Docker API. The manipulation leads to sandbox issue. The attack may be initiated remotely. The pull request to fix this issue awaits acceptan...

5.3CVSS6.1AI score0.00228EPSS
Exploits0References9
EUVD
EUVD
added 2026/07/01 12:34 a.m.8 views

EUVD-2026-40431

Crawl4AI before 0.8.7 contains an arbitrary JavaScript execution vulnerability in the Docker API server's /executejs endpoint, which accepts and executes arbitrary user-supplied JavaScript in the server's browser context with --disable-web-security enabled. An attacker can execute arbitrary...

9.2CVSS6.2AI score0.00334EPSS
Exploits0References4
PyPA
PyPA
added 2026/06/30 11:17 p.m.5 views

PYSEC-2026-798

Crawl4AI before 0.8.7 contains an arbitrary JavaScript execution vulnerability in the Docker API server's /executejs endpoint, which accepts and executes arbitrary user-supplied JavaScript in the server's browser context with --disable-web-security enabled. An attacker can execute arbitrary...

9.2CVSS6.3AI score0.00334EPSS
Exploits0References3Affected Software1
CVE
CVE
added 2026/06/30 10:8 p.m.15 views

CVE-2026-56264

CVE-2026-56264 affects Crawl4AI prior to 0.8.7. The Docker API server’s /execute_js endpoint accepts and executes arbitrary JavaScript in the server’s browser context with --disable-web-security enabled, enabling an attacker to run arbitrary JS and, given relaxed browser security, perform server-...

9.2CVSS6.2AI score0.00334EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/06/30 10:8 p.m.4 views

CVE-2026-56264 Crawl4AI - Arbitrary JavaScript Execution via /execute_js Endpoint

Crawl4AI before 0.8.7 contains an arbitrary JavaScript execution vulnerability in the Docker API server's /executejs endpoint, which accepts and executes arbitrary user-supplied JavaScript in the server's browser context with --disable-web-security enabled. An attacker can execute arbitrary...

9.2CVSS6.3AI score0.00421EPSS
Exploits0References5
Rows per page
Query Builder