Crawl4AI before 0.8.7 contains an arbitrary JavaScript execution vulnerability in the Docker API server's /execute_js endpoint, which accepts and executes arbitrary user-supplied JavaScript in the server's browser context with --disable-web-security enabled. An attacker can execute arbitrary JavaScript and, combined with the browser's relaxed security settings, perform server-side request forgery against internal services.
History

Wed, 01 Jul 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 04:00:00 +0000

Type Values Removed Values Added
First Time appeared Crawl4ai
Crawl4ai crawl4ai
Vendors & Products Crawl4ai
Crawl4ai crawl4ai

Tue, 30 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
Description Crawl4AI before 0.8.7 contains an arbitrary JavaScript execution vulnerability in the Docker API server's /execute_js endpoint, which accepts and executes arbitrary user-supplied JavaScript in the server's browser context with --disable-web-security enabled. An attacker can execute arbitrary JavaScript and, combined with the browser's relaxed security settings, perform server-side request forgery against internal services.
Title Crawl4AI - Arbitrary JavaScript Execution via /execute_js Endpoint
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published: 2026-06-30T22:08:26.600Z

Updated: 2026-07-01T14:59:24.723Z

Reserved: 2026-06-20T01:42:20.615Z

Link: CVE-2026-56264

cve-icon Vulnrichment

Updated: 2026-07-01T14:59:19.916Z

cve-icon NVD

No data.

cve-icon Redhat

No data.