PT-2026-57551 · Crawl4Ai · Crawl4Ai
Published
2026-07-12
·
Updated
2026-07-12
·
CVE-2026-56260
CVSS v3.1
9.1
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Crawl4AI versions prior to 0.8.7
Description
An arbitrary file write issue exists in the Docker API server. The '/screenshot' and '/pdf' endpoints do not validate the
output path parameter, which allows an attacker to use absolute paths or path-traversal sequences to write files to any location accessible by the application user. This can lead to the overwriting of server files and result in a denial of service.Recommendations
Update to version 0.8.7 or later.
As a temporary mitigation, restrict access to the '/screenshot' and '/pdf' endpoints or avoid using the
output path parameter until the update is applied.Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Crawl4Ai