Arbitrary File Write Vulnerability in Crawl4AI Docker API Server
CVE-2026-56260
8.8HIGH
What is CVE-2026-56260?
Crawl4AI versions prior to 0.8.7 contain a vulnerability that allows attackers to exploit the Docker API server's /screenshot and /pdf endpoints. The output_path parameter does not validate user input, enabling attackers to provide arbitrary filesystem paths. This flaw can lead to unauthorized file writing, permitting the overwriting of server files and potential denial of service, posing a significant risk to the application's integrity and security.
Affected Version(s)
Crawl4AI 0 < 0.8.7
Crawl4AI 0.8.7
