CVE-2026-56264
HighCVSS 8.1Exploitation Probability (EPSS)
Low risk40th percentile — higher than 40% of all known CVEs
Summary
Crawl4AI before version 0.8.7 contains an arbitrary JavaScript execution vulnerability in the /execute_js endpoint of the Docker API server. An attacker can submit malicious scripts that execute in the server's browser context with disabled web security.
Risk Assessment
The risk includes server-side request forgery (SSRF) against internal services and unauthorized operations in the server's browser, potentially leading to data breaches or privilege escalation.
Recommendation
Upgrade Crawl4AI to version 0.8.7 or later immediately. If upgrading is not possible, restrict access to the /execute_js endpoint to trusted IP addresses only.
Original NVD description (English source)
Crawl4AI before 0.8.7 contains an arbitrary JavaScript execution vulnerability in the Docker API server's /execute_js endpoint, which accepts and executes arbitrary user-supplied JavaScript in the server's browser context with --disable-web-security enabled. An attacker can execute arbitrary JavaScript and, combined with the browser's relaxed security settings, perform server-side request forgery against internal services.

