CVE Catalog

CVE-2026-56264

HighCVSS 8.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.52%

40th percentile — higher than 40% of all known CVEs

Summary

Crawl4AI before version 0.8.7 contains an arbitrary JavaScript execution vulnerability in the /execute_js endpoint of the Docker API server. An attacker can execute arbitrary JavaScript in the server's browser context with disabled web security, enabling SSRF attacks against internal services.

Risk Assessment

The risk involves potential server compromise and attacks on internal network resources, which could lead to data leakage or further infrastructure compromise.

Recommendation

Immediately update Crawl4AI to version 0.8.7 or later and restrict access to the /execute_js endpoint to trusted users only.

Original NVD description (English source)

Crawl4AI before 0.8.7 contains an arbitrary JavaScript execution vulnerability in the Docker API server's /execute_js endpoint, which accepts and executes arbitrary user-supplied JavaScript in the server's browser context with --disable-web-security enabled. An attacker can execute arbitrary JavaScript and, combined with the browser's relaxed security settings, perform server-side request forgery against internal services.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS