Arbitrary JavaScript Execution Vulnerability in Crawl4AI by Unclecode
CVE-2026-56264
9.2CRITICAL
What is CVE-2026-56264?
An arbitrary JavaScript execution vulnerability has been identified in Crawl4AI prior to version 0.8.7. This vulnerability resides in the Docker API server's /execute_js endpoint, which allows arbitrary user-supplied JavaScript to be executed within the server's browser context, particularly when the --disable-web-security flag is enabled. Exploiting this flaw could enable an attacker to execute malicious JavaScript, thereby potentially allowing server-side request forgery against internal services. This presents a significant risk to the integrity and confidentiality of the affected systems.
Affected Version(s)
Crawl4AI 0 < 0.8.7
Crawl4AI 0.8.7
