Description
Crawl4AI before 0.8.7 contains an arbitrary JavaScript execution vulnerability in the Docker API server's /execute_js endpoint, which accepts and executes arbitrary user-supplied JavaScript in the server's browser context with --disable-web-security enabled. An attacker can execute arbitrary JavaScript and, combined with the browser's relaxed security settings, perform server-side request forgery against internal services.
Published: 2026-06-30
Score: 9.2 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unauthenticated user can submit arbitrary JavaScript to the /execute_js endpoint of the Docker API server, where it is run in the server's browser context when the --disable-web-security flag is active. This direct code execution can lead to server‑side request forgery and other malicious actions, exposing internal services and compromising the confidentiality, integrity, and availability of the hosting system.

Affected Systems

Crawl4AI applications before version 0.8.7 are susceptible. The affected component is the Docker API server's /execute_js endpoint, which processes any JavaScript payload sent by an external client.

Risk and Exploitability

With a CVSS score of 9.2, the vulnerability is classified as critical. Because the endpoint is reachable over the network, an attacker can remotely trigger JavaScript execution without requiring authentication. While the EPSS score is unavailable, the combination of arbitrary code execution and the ability to target internal services via SSRF raises the likelihood of exploitation in environments where the Docker API server is exposed or the security flag is left enabled. The vulnerability is not listed in the CISA KEV catalog, but the lack of mitigation makes it a high‑priority risk.

Generated by OpenCVE AI on June 30, 2026 at 23:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to version 0.8.7 or newer, where the /execute_js endpoint has been removed or hardened.
  • Disable the --disable-web-security flag and prevent browser context execution if the endpoint is still required.
  • Restrict network access to the Docker API server, allowing only trusted internal hosts.

Generated by OpenCVE AI on June 30, 2026 at 23:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
Description Crawl4AI before 0.8.7 contains an arbitrary JavaScript execution vulnerability in the Docker API server's /execute_js endpoint, which accepts and executes arbitrary user-supplied JavaScript in the server's browser context with --disable-web-security enabled. An attacker can execute arbitrary JavaScript and, combined with the browser's relaxed security settings, perform server-side request forgery against internal services.
Title Crawl4AI - Arbitrary JavaScript Execution via /execute_js Endpoint
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-30T22:08:26.600Z

Reserved: 2026-06-20T01:42:20.615Z

Link: CVE-2026-56264

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T23:30:04Z

Weaknesses
  • CWE-94

    Improper Control of Generation of Code ('Code Injection')