CVE-2026-26216

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-26216

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-26216.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-26216

Aliases

GHSA-5882-5rx9-xgxp

Published

2026-02-12T16:16:17.447Z

Modified

2026-04-10T05:43:00.102341Z

Severity

10.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Crawl4AI versions prior to 0.8.0 contain a remote code execution vulnerability in the Docker API deployment. The /crawl endpoint accepts a hooks parameter containing Python code that is executed using exec(). The import builtin was included in the allowed builtins, allowing unauthenticated remote attackers to import arbitrary modules and execute system commands. Successful exploitation allows full server compromise, including arbitrary command execution, file read and write access, sensitive data exfiltration, and lateral movement within internal networks.

References

Affected packages

Git / github.com/unclecode/crawl4ai

Affected ranges

Type

GIT

Repo

https://github.com/unclecode/crawl4ai

Events

Introduced

Fixed

a5354f267aeeb793bf26e6566a89aa8f1f33809e

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.8.0"
        }
    ]
}

Affected versions

0.*

0.3.4

v.*

v.3.72

v0.*

v0.0.75

v0.1.0

v0.2.0

v0.2.1

v0.2.4

v0.2.6

v0.2.7

v0.2.71

v0.2.72

v0.2.73

v0.2.74

v0.2.77

v0.3.0

v0.3.3

v0.3.6

v0.3.745

v0.4.24

v0.4.243

v0.5.0.post1

v0.6.3

v0.7.0

v0.7.1

v0.7.2

v0.7.3

v0.7.4

vr0.*

vr0.6.0

vr0.6.0rc1

vr0.6.3

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-26216.json"