Arbitrary File Write Vulnerability in Crawl4AI Web Crawler by Unclecode
CVE-2026-57571

9.6CRITICAL

Key Information:

Vendor

Unclecode

Status
Vendor
CVE Published:
6 July 2026

What is CVE-2026-57571?

Crawl4AI, an open-source web crawler and scraper developed by Unclecode, before version 0.9.0 is susceptible to an arbitrary file write vulnerability. This issue arises when the crawler saves files downloaded from the web, allowing attackers to influence the destination filename used for these files. An attacker can provide a filename that bypasses normal directory confinement by using absolute paths or traversal sequences. Consequently, this can lead to unauthorized file writes within the server, potentially enabling remote code execution due to the attacker-controlled content in the written files. This vulnerability has been addressed in version 0.9.0.

Affected Version(s)

crawl4ai < 0.9.0

References

CVSS V3.1

Score:
9.6
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.