Arbitrary File Write Vulnerability in Crawl4AI by UncleCode
CVE-2026-56258

9.2CRITICAL

Key Information:

Vendor: Crawl4ai
Status: Crawl4ai
Vendor: CVE Published:; 23 June 2026

What is CVE-2026-56258?

Crawl4AI prior to version 0.8.8 is vulnerable to an arbitrary file write issue found in its screenshot and PDF endpoints. This vulnerability allows unauthenticated attackers to exploit insufficient path validation, utilizing symlink and time-of-check-time-of-use (TOCTOU) attacks on the output_path parameter. Consequently, attackers can write files outside of the intended directory structure, which may lead to arbitrary file creation and potential code execution on systems where the runtime user possesses write access to critical executable or cron locations.

Affected Version(s)

Crawl4AI 0 < 0.8.8

Crawl4AI 0.8.8

References

https://github.com/unclecode/crawl4ai/security/advisories...

vendor-advisory

https://www.vulncheck.com/advisories/crawl4ai-arbitrary-f...

third-party-advisory

CVSS V4

Score:

9.2

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 23, 2026
Vulnerability Reserved
Jun 19, 2026

CVE-2026-56258 Data

JSON

Crawl4ai

What is CVE-2026-56258?

Affected Version(s)

References

CVSS V4

Timeline