Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:pypi/crawl4ai@0.4.24
Typepypi
Namespace
Namecrawl4ai
Version0.4.24
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version0.8.0
Latest_non_vulnerable_version0.8.0
Affected_by_vulnerabilities
0
url VCID-ef5j-f7yr-7yfk
vulnerability_id VCID-ef5j-f7yr-7yfk
summary Crawl4AI versions prior to 0.8.0 contain a local file inclusion vulnerability in the Docker API deployment. The /execute_js, /screenshot, /pdf, and /html endpoints accept file:// URLs, allowing unauthenticated remote attackers to read arbitrary files from the server filesystem. An attacker can access sensitive files such as /etc/passwd, /etc/shadow, application configuration files, and environment variables via /proc/self/environ, potentially exposing credentials, API keys, and internal application structure.
references
0
reference_url https://github.com/unclecode/crawl4ai
reference_id
reference_type
scores
url https://github.com/unclecode/crawl4ai
1
reference_url https://github.com/unclecode/crawl4ai/blob/main/docs/blog/release-v0.8.0.md
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://github.com/unclecode/crawl4ai/blob/main/docs/blog/release-v0.8.0.md
2
reference_url https://github.com/unclecode/crawl4ai/blob/release/v0.8.0/docs/blog/release-v0.8.0.md
reference_id
reference_type
scores
url https://github.com/unclecode/crawl4ai/blob/release/v0.8.0/docs/blog/release-v0.8.0.md
3
reference_url https://github.com/unclecode/crawl4ai/blob/release/v0.8.0/docs/migration/v0.8.0-upgrade-guide.md
reference_id
reference_type
scores
url https://github.com/unclecode/crawl4ai/blob/release/v0.8.0/docs/migration/v0.8.0-upgrade-guide.md
4
reference_url https://github.com/unclecode/crawl4ai/security/advisories/GHSA-vx9w-5cx4-9796
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://github.com/unclecode/crawl4ai/security/advisories/GHSA-vx9w-5cx4-9796
5
reference_url https://www.vulncheck.com/advisories/crawl4ai-docker-api-local-file-inclusion-via-file-url-handling
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://www.vulncheck.com/advisories/crawl4ai-docker-api-local-file-inclusion-via-file-url-handling
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-26217
reference_id CVE-2026-26217
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2026-26217
7
reference_url https://github.com/advisories/GHSA-vx9w-5cx4-9796
reference_id GHSA-vx9w-5cx4-9796
reference_type
scores
url https://github.com/advisories/GHSA-vx9w-5cx4-9796
fixed_packages
0
url pkg:pypi/crawl4ai@0.8.0
purl pkg:pypi/crawl4ai@0.8.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/crawl4ai@0.8.0
aliases CVE-2026-26217, GHSA-vx9w-5cx4-9796, PYSEC-2026-34
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ef5j-f7yr-7yfk
1
url VCID-tvag-1xns-5yck
vulnerability_id VCID-tvag-1xns-5yck
summary Crawl4AI versions prior to 0.8.0 contain a remote code execution vulnerability in the Docker API deployment. The /crawl endpoint accepts a hooks parameter containing Python code that is executed using exec(). The __import__ builtin was included in the allowed builtins, allowing unauthenticated remote attackers to import arbitrary modules and execute system commands. Successful exploitation allows full server compromise, including arbitrary command execution, file read and write access, sensitive data exfiltration, and lateral movement within internal networks.
references
0
reference_url https://github.com/unclecode/crawl4ai
reference_id
reference_type
scores
url https://github.com/unclecode/crawl4ai
1
reference_url https://github.com/unclecode/crawl4ai/blob/main/docs/blog/release-v0.8.0.md
reference_id
reference_type
scores
0
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
url https://github.com/unclecode/crawl4ai/blob/main/docs/blog/release-v0.8.0.md
2
reference_url https://github.com/unclecode/crawl4ai/blob/release/v0.8.0/docs/blog/release-v0.8.0.md
reference_id
reference_type
scores
url https://github.com/unclecode/crawl4ai/blob/release/v0.8.0/docs/blog/release-v0.8.0.md
3
reference_url https://github.com/unclecode/crawl4ai/blob/release/v0.8.0/docs/migration/v0.8.0-upgrade-guide.md
reference_id
reference_type
scores
url https://github.com/unclecode/crawl4ai/blob/release/v0.8.0/docs/migration/v0.8.0-upgrade-guide.md
4
reference_url https://github.com/unclecode/crawl4ai/security/advisories/GHSA-5882-5rx9-xgxp
reference_id
reference_type
scores
0
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
url https://github.com/unclecode/crawl4ai/security/advisories/GHSA-5882-5rx9-xgxp
5
reference_url https://www.vulncheck.com/advisories/crawl4ai-docker-api-unauthenticated-remote-code-execution-via-hooks-parameter
reference_id
reference_type
scores
0
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
url https://www.vulncheck.com/advisories/crawl4ai-docker-api-unauthenticated-remote-code-execution-via-hooks-parameter
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-26216
reference_id CVE-2026-26216
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2026-26216
7
reference_url https://github.com/advisories/GHSA-5882-5rx9-xgxp
reference_id GHSA-5882-5rx9-xgxp
reference_type
scores
url https://github.com/advisories/GHSA-5882-5rx9-xgxp
fixed_packages
0
url pkg:pypi/crawl4ai@0.8.0
purl pkg:pypi/crawl4ai@0.8.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/crawl4ai@0.8.0
aliases CVE-2026-26216, GHSA-5882-5rx9-xgxp, PYSEC-2026-33
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-tvag-1xns-5yck
Fixing_vulnerabilities
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:pypi/crawl4ai@0.4.24