Open-source LLM Friendly Web Crawler Vulnerability in Crawl4AI
CVE-2026-53753

9.8CRITICAL

Key Information:

Vendor: Unclecode
Status: Crawl4ai
Vendor: CVE Published:; 23 June 2026

What is CVE-2026-53753?

Crawl4AI, an open-source LLM-friendly web crawler, prior to version 0.8.7, contains a critical vulnerability in its computed fields feature. The _safe_eval_expression() function employs an AST validator that inadequately restricts attribute access, allowing attributes without an underscore prefix to execute arbitrary code. This enables attackers to escape the intended sandbox environment and execute malicious commands, potentially compromising the integrity of the system. The vulnerability can be exploited without authentication, as JWT is disabled by default, making it accessible through a crafted POST request to /crawl. The issue was resolved in version 0.8.7.

Affected Version(s)

crawl4ai < 0.8.7

References

https://github.com/unclecode/crawl4ai/security/advisories...

x_refsource_CONFIRM

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 23, 2026
Vulnerability Reserved
Jun 10, 2026

CVE-2026-53753 Data

JSON

Unclecode

What is CVE-2026-53753?

Affected Version(s)

References

CVSS V3.1

Timeline