PT-2026-57551 · Crawl4Ai · Crawl4Ai

Published

2026-07-12

·

Updated

2026-07-12

·

CVE-2026-56260

CVSS v3.1

9.1

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Name of the Vulnerable Software and Affected Versions Crawl4AI versions prior to 0.8.7
Description An arbitrary file write issue exists in the Docker API server. The '/screenshot' and '/pdf' endpoints do not validate the output path parameter, which allows an attacker to use absolute paths or path-traversal sequences to write files to any location accessible by the application user. This can lead to the overwriting of server files and result in a denial of service.
Recommendations Update to version 0.8.7 or later. As a temporary mitigation, restrict access to the '/screenshot' and '/pdf' endpoints or avoid using the output path parameter until the update is applied.

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-56260

Affected Products

Crawl4Ai