Description
ArchiveBox is an open source self-hosted web archiving system. In versions 0.8.6rc0 and prior, the /add/ endpoint (AddView in core/views.py) accepts a config JSON field that gets merged into the crawl config without validation. This config is exported as environment variables when archive plugins run, allowing injection of arbitrary tool arguments to achieve RCE. At time of publication, there are no publicly available patches.
Published: 2026-05-09
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ArchiveBox, an open‑source self‑hosted web archiving tool, contains a flaw in its AddView endpoint that accepts a configuration JSON without validation. The JSON is merged into the crawl configuration and exported as environment variables for archive plugins. An attacker can supply malicious configuration data to inject arbitrary tool arguments, resulting in Remote Code Execution. The weakness corresponds to CWE‑88, which describes the injection of untrusted data into environment variables leading to code execution.

Affected Systems

The vulnerability affects ArchiveBox releases 0.8.6rc0 and older. Users running these versions on any platform that exposes the /add/ API endpoint are at risk. The software is deployed under many self‑hosted setups, so the attack surface is potentially wide.

Risk and Exploitability

With a CVSS score of 9.3, this flaw is considered critical. The exploit requires the ability to post a crafted JSON payload to the /add/ endpoint; no authentication requirement is documented, so the vulnerability might be exploitable by anyone who can reach the API, further increasing risk. The EPSS score is unavailable, and the vulnerability is not yet listed in CISA's KEV catalog, but the lack of a patch means the window for exploitation remains open. Administrators should treat this as a high‑priority issue, monitor for an official fix, and harden the endpoint.

Generated by OpenCVE AI on May 9, 2026 at 20:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a release newer than 0.8.6rc0 as soon as one is available.
  • Restrict network access to the /add/ endpoint, for example by placing the service behind a firewall or requiring authentication.
  • Monitor the project’s GitHub repository and security advisories for patches, and apply any update immediately.

Generated by OpenCVE AI on May 9, 2026 at 20:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3h23-7824-pj8r ArchiveBox Vulnerable to RCE via unvalidated per-crawl config overrides in AddView
History

Sat, 09 May 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Archivebox
Archivebox archivebox
Vendors & Products Archivebox
Archivebox archivebox

Sat, 09 May 2026 19:45:00 +0000

Type Values Removed Values Added
Description ArchiveBox is an open source self-hosted web archiving system. In versions 0.8.6rc0 and prior, the /add/ endpoint (AddView in core/views.py) accepts a config JSON field that gets merged into the crawl config without validation. This config is exported as environment variables when archive plugins run, allowing injection of arbitrary tool arguments to achieve RCE. At time of publication, there are no publicly available patches.
Title ArchiveBox Vulnerable to RCE via unvalidated per-crawl config overrides in AddView
Weaknesses CWE-88
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Archivebox Archivebox
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-09T19:29:23.265Z

Reserved: 2026-04-29T00:31:15.725Z

Link: CVE-2026-42601

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-09T20:16:29.873

Modified: 2026-05-09T20:16:29.873

Link: CVE-2026-42601

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T21:00:11Z

Weaknesses