Filtered by vendor Crewai
Subscriptions
Filtered by product Crewai
Subscriptions
Total
5 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-62240 | 1 Crewai | 1 Crewai | 2026-07-13 | 7.4 High |
| CrewAI before 1.15.1 contains a server-side request forgery vulnerability in the validate_url function that performs one-shot DNS resolution and blocklist checks before returning the original URL unchanged. Attackers can bypass the security filter by supplying URLs that redirect to internal addresses or use DNS rebinding techniques to access internal services and cloud metadata endpoints. | ||||
| CVE-2026-2285 | 1 Crewai | 1 Crewai | 2026-04-15 | 7.5 High |
| CrewAI contains a arbitrary local file read vulnerability in the JSON loader tool that reads files without path validation, enabling access to files on the server. | ||||
| CVE-2026-2287 | 1 Crewai | 1 Crewai | 2026-04-15 | 9.8 Critical |
| CrewAI does not properly check that Docker is still running during runtime, and will fall back to a sandbox setting that allows for RCE exploitation. | ||||
| CVE-2026-2286 | 1 Crewai | 1 Crewai | 2026-04-15 | 9.8 Critical |
| CrewAI contains a server-side request forgery vulnerability that enables content acquisition from internal and cloud services, facilitated by the RAG search tools not properly validating URLs provided at runtime. | ||||
| CVE-2026-2275 | 1 Crewai | 1 Crewai | 2026-04-03 | 9.6 Critical |
| The CrewAI CodeInterpreter tool falls back to SandboxPython when it cannot reach Docker, which can enable RCE through arbitrary C function calling. | ||||
Page 1 of 1.