CVE-2026-42601
CriticalSummary
ArchiveBox is a web archiving system that, in versions 0.8.6rc0 and prior, has a vulnerability in the /add/ endpoint. The config JSON field is merged into the crawl config without validation, allowing injection of arbitrary tool arguments, leading to remote code execution (RCE).
Risk Assessment
The lack of input validation poses a risk of remote code execution, which could allow unauthorized users to gain control over the system.
Recommendation
It is recommended to update to the latest version of ArchiveBox as soon as patches are available and to restrict access to the /add/ endpoint to trusted users.
Original NVD description (English source)
ArchiveBox is an open source self-hosted web archiving system. In versions 0.8.6rc0 and prior, the /add/ endpoint (AddView in core/views.py) accepts a config JSON field that gets merged into the crawl config without validation. This config is exported as environment variables when archive plugins run, allowing injection of arbitrary tool arguments to achieve RCE. At time of publication, there are no publicly available patches.

