CVE-2026-56263
MediumCVSS 6.1Exploitation Probability (EPSS)
Low risk9th percentile — higher than 9% of all known CVEs
Summary
Crawl4AI before version 0.8.7 contains a stored cross-site scripting vulnerability in the monitor dashboard. The dashboard renders crawl URLs and error messages via innerHTML without escaping, allowing an attacker to submit a crafted crawl request with malicious markup that executes in an operator's browser when viewing the dashboard.
Risk Assessment
An attacker can hijack the operator's session, steal credentials, or perform other unauthorized actions within the context of the monitor dashboard, compromising system confidentiality and integrity.
Recommendation
Immediately update Crawl4AI to version 0.8.7 or later, which includes a fix for this vulnerability. Until the update is applied, restrict access to the monitor dashboard to trusted operators only.
Original NVD description (English source)
Crawl4AI before 0.8.7 contains a stored cross-site scripting vulnerability in the monitor dashboard that renders crawl URLs and error messages via innerHTML without escaping. An attacker can submit a crafted crawl request with malicious markup that executes in an operator's browser when viewing the dashboard.

