CVE-2026-42601

Name of the Vulnerable Software and Affected Versions ArchiveBox (affected versions not specified)

Description The '/add/' endpoint (AddView in core/views.py) allows the injection of arbitrary configuration into crawl jobs because the config JSON field is merged without validation. This configuration is subsequently exported as environment variables when archive plugins run, enabling the injection of tool arguments to achieve remote code execution. When the PUBLIC ADD VIEW variable is set to True, this can be exploited without authentication, as the endpoint is also @csrf exempt (exempt from Cross-Site Request Forgery protection, a mechanism that prevents unauthorized commands from being transmitted from a user the web application trusts). Specifically, the config parameter can be used to override keys such as YTDLP ARGS EXTRA or GALLERYDL ARGS EXTRA to execute arbitrary commands via the --exec flag of the respective tools.

Recommendations As a temporary workaround, set PUBLIC ADD VIEW to False to prevent unauthenticated access to the '/add/' endpoint. Restrict the use of the config parameter in the '/add/' endpoint until a patch is available.