Arbitrary JavaScript Execution Vulnerability in Crawl4AI by Unclecode
CVE-2026-56264

9.2CRITICAL

Key Information:

Vendor

Crawl4ai

Status
Vendor
CVE Published:
30 June 2026

What is CVE-2026-56264?

An arbitrary JavaScript execution vulnerability has been identified in Crawl4AI prior to version 0.8.7. This vulnerability resides in the Docker API server's /execute_js endpoint, which allows arbitrary user-supplied JavaScript to be executed within the server's browser context, particularly when the --disable-web-security flag is enabled. Exploiting this flaw could enable an attacker to execute malicious JavaScript, thereby potentially allowing server-side request forgery against internal services. This presents a significant risk to the integrity and confidentiality of the affected systems.

Affected Version(s)

Crawl4AI 0 < 0.8.7

Crawl4AI 0.8.7

References

CVSS V4

Score:
9.2
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.