CVE Catalog

CVE-2026-56264

HighCVSS 8.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.52%

40th percentile — higher than 40% of all known CVEs

Summary

Crawl4AI before version 0.8.7 contains an arbitrary JavaScript execution vulnerability in the /execute_js endpoint of the Docker API server. An attacker can submit malicious scripts that execute in the server's browser context with disabled web security.

Risk Assessment

The risk includes server-side request forgery (SSRF) against internal services and unauthorized operations in the server's browser, potentially leading to data breaches or privilege escalation.

Recommendation

Upgrade Crawl4AI to version 0.8.7 or later immediately. If upgrading is not possible, restrict access to the /execute_js endpoint to trusted IP addresses only.

Original NVD description (English source)

Crawl4AI before 0.8.7 contains an arbitrary JavaScript execution vulnerability in the Docker API server's /execute_js endpoint, which accepts and executes arbitrary user-supplied JavaScript in the server's browser context with --disable-web-security enabled. An attacker can execute arbitrary JavaScript and, combined with the browser's relaxed security settings, perform server-side request forgery against internal services.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS