Description
Crawl4AI before 0.8.7 contains a stored cross-site scripting vulnerability in the monitor dashboard that renders crawl URLs and error messages via innerHTML without escaping. An attacker can submit a crafted crawl request with malicious markup that executes in an operator's browser when viewing the dashboard.
Published: 2026-06-23
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Crawl4AI before version 0.8.7 stores crawl URLs and error messages directly into the monitor dashboard using innerHTML without escaping user‑supplied markup. This results in a stored cross‑site scripting vulnerability that can execute arbitrary JavaScript when an operator views the dashboard. An attacker who submits a specially crafted crawl request can embed malicious code within the crawl details, and that code will run in the browser of any logged‑in operator, potentially allowing credential theft or session hijacking. The impact is confined to the browser context of affected users and does not compromise the server itself.

Affected Systems

The vulnerability affects the Crawl4AI application prior to release 0.8.7. Any installation of Crawl4AI that has not been upgraded to version 0.8.7 or later remains susceptible.

Risk and Exploitability

The CVSS v3.1 score of 5.3 indicates a medium level of severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting that widespread exploitation has not yet been observed. Exploitation requires an attacker to be able to submit a crawl request that contains malicious markup, and the malicious code is only executed when an authorized operator views the monitor dashboard. While the attack surface is somewhat limited, the risk of cross‑site scripting to privileged users warrants timely remediation.

Generated by OpenCVE AI on June 23, 2026 at 13:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Crawl4AI to version 0.8.7 or later, which removes the unescaped innerHTML rendering from the monitor dashboard.
  • If an update is not immediately possible, sanitize or escape all user‑supplied crawl URLs and error messages before rendering them in the dashboard to eliminate the stored XSS vector.
  • Restrict the submission of crawl requests to trusted administrators and review any existing crawl history for embedded scripts before allowing operators to view the dashboard.

Generated by OpenCVE AI on June 23, 2026 at 13:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Crawl4ai
Crawl4ai crawl4ai
Vendors & Products Crawl4ai
Crawl4ai crawl4ai

Tue, 23 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
Description Crawl4AI before 0.8.7 contains a stored cross-site scripting vulnerability in the monitor dashboard that renders crawl URLs and error messages via innerHTML without escaping. An attacker can submit a crafted crawl request with malicious markup that executes in an operator's browser when viewing the dashboard.
Title Crawl4AI - Stored Cross-Site Scripting in Monitor Dashboard
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Crawl4ai Crawl4ai
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-23T12:13:00.000Z

Reserved: 2026-06-20T01:42:20.615Z

Link: CVE-2026-56263

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:03:03Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')