3 matches found
EUVD-2026-40431
Crawl4AI before 0.8.7 contains an arbitrary JavaScript execution vulnerability in the Docker API server's /executejs endpoint, which accepts and executes arbitrary user-supplied JavaScript in the server's browser context with --disable-web-security enabled. An attacker can execute arbitrary...
CVE-2026-26217
Crawl4AI versions prior to 0.8.0 contain a local file inclusion vulnerability in the Docker API deployment. The /executejs, /screenshot, /pdf, and /html endpoints accept file:// URLs, allowing unauthenticated remote attackers to read arbitrary files from the server filesystem. An attacker can...
Crawl4AI Has Local File Inclusion in Docker API via file:// URLs
A local file inclusion vulnerability exists in the Crawl4AI Docker API. The /executejs, /screenshot, /pdf, and /html endpoints accept file:// URLs, allowing attackers to read arbitrary files from the server filesystem. Attack Vector: json POST /executejs "url": "file:///etc/passwd", "scripts":...