Most recent sightings.

Most recent sightings. https://vulnerability.circl.lu Contains only the most 10 recent sightings. http://www.rssboard.org/rss-specification python-feedgen en Fri, 26 Jun 2026 16:24:27 +0000 4ecc37c9-8456-4192-8be4-17403b3ad09b https://vulnerability.circl.lu/sighting/4ecc37c9-8456-4192-8be4-17403b3ad09b/export {"uuid": "4ecc37c9-8456-4192-8be4-17403b3ad09b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-R253-R9JW-QG44", "type": "seen", "source": "https://gist.github.com/alon710/41babc051db96b1507f3fb804d7012be", "content": "# GHSA-R253-R9JW-QG44: GHSA-R253-R9JW-QG44: Unauthenticated Remote Code Execution in Crawl4AI via Chromium Launch-Argument Injection\n\n> **CVSS Score:** 10.0\n> **Published:** 2026-06-18\n> **Full Report:** https://cvereports.com/reports/GHSA-R253-R9JW-QG44\n\n## Summary\nA critical unauthenticated remote code execution vulnerability exists in Crawl4AI versions up to 0.8.9. The flaw is caused by improper neutralization of command arguments passed to the Chromium process execution engine via the browser_config.extra_args parameter, enabling remote attackers to execute arbitrary shell commands inside the container.\n\n## TL;DR\nUnauthenticated remote command injection via Chromium process-replacement switches in Crawl4AI <= 0.8.9.\n\n## Technical Details\n\n- **CWE ID**: CWE-88 / CWE-94\n- **Attack Vector**: Network\n- **CVSS Score**: 10.0 (Critical)\n- **Exploit Status**: PoC Available\n- **Affected Component**: Docker API server request parsing\n- **Patched Version**: 0.9.0\n\n## Affected Systems\n\n- Crawl4AI self-hosted Docker API server\n\n## Mitigation\n\n- Upgrade Crawl4AI to version 0.9.0 or later\n- Enable API Token Authentication\n- Restrict network exposure of the container port\n\n**Remediation Steps:**\n1. Pull the official Docker image tagged with version 0.9.0 or later.\n2. If using pip, run 'pip install crawl4ai>=0.9.0' to update the library.\n3. Set the 'CRAWL4AI_API_TOKEN' environment variable in your deployment configuration to enable authorization checks.\n4. Bind the container API port (11235) to 127.0.0.1 or place it behind a firewall/VPN.\n\n## References\n\n- [GitHub Security Advisory GHSA-R253-R9JW-QG44](https://github.com/advisories/GHSA-R253-R9JW-QG44)\n- [Crawl4AI Repository](https://github.com/unclecode/crawl4ai)\n- [Vulnerability Fix Commit](https://github.com/unclecode/crawl4ai/commit/60886d1a0c52682e4c83a7cef9dfac417fff6bd2)\n- [Vulnerability Documentation Commit](https://github.com/unclecode/crawl4ai/commit/c66f3276fd355031c8632500911fe7041ad6fc14)\n- [Crawl4AI Migration Guide (0.9.0)](https://github.com/unclecode/crawl4ai/blob/main/deploy/docker/MIGRATION.md)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-R253-R9JW-QG44) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-18T18:41:53.000000Z"} {"uuid": "4ecc37c9-8456-4192-8be4-17403b3ad09b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-R253-R9JW-QG44", "type": "seen", "source": "https://gist.github.com/alon710/41babc051db96b1507f3fb804d7012be", "content": "# GHSA-R253-R9JW-QG44: GHSA-R253-R9JW-QG44: Unauthenticated Remote Code Execution in Crawl4AI via Chromium Launch-Argument Injection\n\n> **CVSS Score:** 10.0\n> **Published:** 2026-06-18\n> **Full Report:** https://cvereports.com/reports/GHSA-R253-R9JW-QG44\n\n## Summary\nA critical unauthenticated remote code execution vulnerability exists in Crawl4AI versions up to 0.8.9. The flaw is caused by improper neutralization of command arguments passed to the Chromium process execution engine via the browser_config.extra_args parameter, enabling remote attackers to execute arbitrary shell commands inside the container.\n\n## TL;DR\nUnauthenticated remote command injection via Chromium process-replacement switches in Crawl4AI <= 0.8.9.\n\n## Technical Details\n\n- **CWE ID**: CWE-88 / CWE-94\n- **Attack Vector**: Network\n- **CVSS Score**: 10.0 (Critical)\n- **Exploit Status**: PoC Available\n- **Affected Component**: Docker API server request parsing\n- **Patched Version**: 0.9.0\n\n## Affected Systems\n\n- Crawl4AI self-hosted Docker API server\n\n## Mitigation\n\n- Upgrade Crawl4AI to version 0.9.0 or later\n- Enable API Token Authentication\n- Restrict network exposure of the container port\n\n**Remediation Steps:**\n1. Pull the official Docker image tagged with version 0.9.0 or later.\n2. If using pip, run 'pip install crawl4ai>=0.9.0' to update the library.\n3. Set the 'CRAWL4AI_API_TOKEN' environment variable in your deployment configuration to enable authorization checks.\n4. Bind the container API port (11235) to 127.0.0.1 or place it behind a firewall/VPN.\n\n## References\n\n- [GitHub Security Advisory GHSA-R253-R9JW-QG44](https://github.com/advisories/GHSA-R253-R9JW-QG44)\n- [Crawl4AI Repository](https://github.com/unclecode/crawl4ai)\n- [Vulnerability Fix Commit](https://github.com/unclecode/crawl4ai/commit/60886d1a0c52682e4c83a7cef9dfac417fff6bd2)\n- [Vulnerability Documentation Commit](https://github.com/unclecode/crawl4ai/commit/c66f3276fd355031c8632500911fe7041ad6fc14)\n- [Crawl4AI Migration Guide (0.9.0)](https://github.com/unclecode/crawl4ai/blob/main/deploy/docker/MIGRATION.md)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-R253-R9JW-QG44) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-18T18:41:53.000000Z"} https://vulnerability.circl.lu/sighting/4ecc37c9-8456-4192-8be4-17403b3ad09b/export Thu, 18 Jun 2026 18:41:53 +0000 da488886-ad05-4f46-9fbd-4151565c907b https://vulnerability.circl.lu/sighting/da488886-ad05-4f46-9fbd-4151565c907b/export {"uuid": "da488886-ad05-4f46-9fbd-4151565c907b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-R253-R9JW-QG44", "type": "seen", "source": "https://gist.github.com/alon710/3807d480d537cf9538209dc130bd58ae", "content": "# GHSA-R253-R9JW-QG44: GHSA-R253-R9JW-QG44: Unauthenticated Remote Code Execution in Crawl4AI via Chromium Launch-Argument Injection\n\n> **CVSS Score:** 10.0\n> **Published:** 2026-06-18\n> **Full Report:** https://cvereports.com/reports/GHSA-R253-R9JW-QG44\n\n## Summary\nA critical unauthenticated remote code execution vulnerability exists in Crawl4AI versions up to 0.8.9. The flaw is caused by improper neutralization of command arguments passed to the Chromium process execution engine via the browser_config.extra_args parameter, enabling remote attackers to execute arbitrary shell commands inside the container.\n\n## TL;DR\nUnauthenticated remote command injection via Chromium process-replacement switches in Crawl4AI <= 0.8.9.\n\n## Technical Details\n\n- **CWE ID**: CWE-88 / CWE-94\n- **Attack Vector**: Network\n- **CVSS Score**: 10.0 (Critical)\n- **Exploit Status**: PoC Available\n- **Affected Component**: Docker API server request parsing\n- **Patched Version**: 0.9.0\n\n## Affected Systems\n\n- Crawl4AI self-hosted Docker API server\n\n## Mitigation\n\n- Upgrade Crawl4AI to version 0.9.0 or later\n- Enable API Token Authentication\n- Restrict network exposure of the container port\n\n**Remediation Steps:**\n1. Pull the official Docker image tagged with version 0.9.0 or later.\n2. If using pip, run 'pip install crawl4ai>=0.9.0' to update the library.\n3. Set the 'CRAWL4AI_API_TOKEN' environment variable in your deployment configuration to enable authorization checks.\n4. Bind the container API port (11235) to 127.0.0.1 or place it behind a firewall/VPN.\n\n## References\n\n- [GitHub Security Advisory GHSA-R253-R9JW-QG44](https://github.com/advisories/GHSA-R253-R9JW-QG44)\n- [Crawl4AI Repository](https://github.com/unclecode/crawl4ai)\n- [Vulnerability Fix Commit](https://github.com/unclecode/crawl4ai/commit/60886d1a0c52682e4c83a7cef9dfac417fff6bd2)\n- [Vulnerability Documentation Commit](https://github.com/unclecode/crawl4ai/commit/c66f3276fd355031c8632500911fe7041ad6fc14)\n- [Crawl4AI Migration Guide (0.9.0)](https://github.com/unclecode/crawl4ai/blob/main/deploy/docker/MIGRATION.md)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-R253-R9JW-QG44) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-18T18:51:38.000000Z"} {"uuid": "da488886-ad05-4f46-9fbd-4151565c907b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-R253-R9JW-QG44", "type": "seen", "source": "https://gist.github.com/alon710/3807d480d537cf9538209dc130bd58ae", "content": "# GHSA-R253-R9JW-QG44: GHSA-R253-R9JW-QG44: Unauthenticated Remote Code Execution in Crawl4AI via Chromium Launch-Argument Injection\n\n> **CVSS Score:** 10.0\n> **Published:** 2026-06-18\n> **Full Report:** https://cvereports.com/reports/GHSA-R253-R9JW-QG44\n\n## Summary\nA critical unauthenticated remote code execution vulnerability exists in Crawl4AI versions up to 0.8.9. The flaw is caused by improper neutralization of command arguments passed to the Chromium process execution engine via the browser_config.extra_args parameter, enabling remote attackers to execute arbitrary shell commands inside the container.\n\n## TL;DR\nUnauthenticated remote command injection via Chromium process-replacement switches in Crawl4AI <= 0.8.9.\n\n## Technical Details\n\n- **CWE ID**: CWE-88 / CWE-94\n- **Attack Vector**: Network\n- **CVSS Score**: 10.0 (Critical)\n- **Exploit Status**: PoC Available\n- **Affected Component**: Docker API server request parsing\n- **Patched Version**: 0.9.0\n\n## Affected Systems\n\n- Crawl4AI self-hosted Docker API server\n\n## Mitigation\n\n- Upgrade Crawl4AI to version 0.9.0 or later\n- Enable API Token Authentication\n- Restrict network exposure of the container port\n\n**Remediation Steps:**\n1. Pull the official Docker image tagged with version 0.9.0 or later.\n2. If using pip, run 'pip install crawl4ai>=0.9.0' to update the library.\n3. Set the 'CRAWL4AI_API_TOKEN' environment variable in your deployment configuration to enable authorization checks.\n4. Bind the container API port (11235) to 127.0.0.1 or place it behind a firewall/VPN.\n\n## References\n\n- [GitHub Security Advisory GHSA-R253-R9JW-QG44](https://github.com/advisories/GHSA-R253-R9JW-QG44)\n- [Crawl4AI Repository](https://github.com/unclecode/crawl4ai)\n- [Vulnerability Fix Commit](https://github.com/unclecode/crawl4ai/commit/60886d1a0c52682e4c83a7cef9dfac417fff6bd2)\n- [Vulnerability Documentation Commit](https://github.com/unclecode/crawl4ai/commit/c66f3276fd355031c8632500911fe7041ad6fc14)\n- [Crawl4AI Migration Guide (0.9.0)](https://github.com/unclecode/crawl4ai/blob/main/deploy/docker/MIGRATION.md)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-R253-R9JW-QG44) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-18T18:51:38.000000Z"} https://vulnerability.circl.lu/sighting/da488886-ad05-4f46-9fbd-4151565c907b/export Thu, 18 Jun 2026 18:51:38 +0000 135c719d-446b-426e-b8f4-8a6815358bed https://vulnerability.circl.lu/sighting/135c719d-446b-426e-b8f4-8a6815358bed/export {"uuid": "135c719d-446b-426e-b8f4-8a6815358bed", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-R253-R9JW-QG44", "type": "seen", "source": "https://gist.github.com/alon710/697bceac18bae3cc319e1ba354c5f8bd", "content": "# GHSA-R253-R9JW-QG44: GHSA-R253-R9JW-QG44: Unauthenticated Remote Code Execution in Crawl4AI via Chromium Launch-Argument Injection\n\n> **CVSS Score:** 10.0\n> **Published:** 2026-06-18\n> **Full Report:** https://cvereports.com/reports/GHSA-R253-R9JW-QG44\n\n## Summary\nA critical unauthenticated remote code execution vulnerability exists in Crawl4AI versions up to 0.8.9. The flaw is caused by improper neutralization of command arguments passed to the Chromium process execution engine via the browser_config.extra_args parameter, enabling remote attackers to execute arbitrary shell commands inside the container.\n\n## TL;DR\nUnauthenticated remote command injection via Chromium process-replacement switches in Crawl4AI <= 0.8.9.\n\n## Technical Details\n\n- **CWE ID**: CWE-88 / CWE-94\n- **Attack Vector**: Network\n- **CVSS Score**: 10.0 (Critical)\n- **Exploit Status**: PoC Available\n- **Affected Component**: Docker API server request parsing\n- **Patched Version**: 0.9.0\n\n## Affected Systems\n\n- Crawl4AI self-hosted Docker API server\n\n## Mitigation\n\n- Upgrade Crawl4AI to version 0.9.0 or later\n- Enable API Token Authentication\n- Restrict network exposure of the container port\n\n**Remediation Steps:**\n1. Pull the official Docker image tagged with version 0.9.0 or later.\n2. If using pip, run 'pip install crawl4ai>=0.9.0' to update the library.\n3. Set the 'CRAWL4AI_API_TOKEN' environment variable in your deployment configuration to enable authorization checks.\n4. Bind the container API port (11235) to 127.0.0.1 or place it behind a firewall/VPN.\n\n## References\n\n- [GitHub Security Advisory GHSA-R253-R9JW-QG44](https://github.com/advisories/GHSA-R253-R9JW-QG44)\n- [Crawl4AI Repository](https://github.com/unclecode/crawl4ai)\n- [Vulnerability Fix Commit](https://github.com/unclecode/crawl4ai/commit/60886d1a0c52682e4c83a7cef9dfac417fff6bd2)\n- [Vulnerability Documentation Commit](https://github.com/unclecode/crawl4ai/commit/c66f3276fd355031c8632500911fe7041ad6fc14)\n- [Crawl4AI Migration Guide (0.9.0)](https://github.com/unclecode/crawl4ai/blob/main/deploy/docker/MIGRATION.md)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-R253-R9JW-QG44) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-18T19:02:49.000000Z"} {"uuid": "135c719d-446b-426e-b8f4-8a6815358bed", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-R253-R9JW-QG44", "type": "seen", "source": "https://gist.github.com/alon710/697bceac18bae3cc319e1ba354c5f8bd", "content": "# GHSA-R253-R9JW-QG44: GHSA-R253-R9JW-QG44: Unauthenticated Remote Code Execution in Crawl4AI via Chromium Launch-Argument Injection\n\n> **CVSS Score:** 10.0\n> **Published:** 2026-06-18\n> **Full Report:** https://cvereports.com/reports/GHSA-R253-R9JW-QG44\n\n## Summary\nA critical unauthenticated remote code execution vulnerability exists in Crawl4AI versions up to 0.8.9. The flaw is caused by improper neutralization of command arguments passed to the Chromium process execution engine via the browser_config.extra_args parameter, enabling remote attackers to execute arbitrary shell commands inside the container.\n\n## TL;DR\nUnauthenticated remote command injection via Chromium process-replacement switches in Crawl4AI <= 0.8.9.\n\n## Technical Details\n\n- **CWE ID**: CWE-88 / CWE-94\n- **Attack Vector**: Network\n- **CVSS Score**: 10.0 (Critical)\n- **Exploit Status**: PoC Available\n- **Affected Component**: Docker API server request parsing\n- **Patched Version**: 0.9.0\n\n## Affected Systems\n\n- Crawl4AI self-hosted Docker API server\n\n## Mitigation\n\n- Upgrade Crawl4AI to version 0.9.0 or later\n- Enable API Token Authentication\n- Restrict network exposure of the container port\n\n**Remediation Steps:**\n1. Pull the official Docker image tagged with version 0.9.0 or later.\n2. If using pip, run 'pip install crawl4ai>=0.9.0' to update the library.\n3. Set the 'CRAWL4AI_API_TOKEN' environment variable in your deployment configuration to enable authorization checks.\n4. Bind the container API port (11235) to 127.0.0.1 or place it behind a firewall/VPN.\n\n## References\n\n- [GitHub Security Advisory GHSA-R253-R9JW-QG44](https://github.com/advisories/GHSA-R253-R9JW-QG44)\n- [Crawl4AI Repository](https://github.com/unclecode/crawl4ai)\n- [Vulnerability Fix Commit](https://github.com/unclecode/crawl4ai/commit/60886d1a0c52682e4c83a7cef9dfac417fff6bd2)\n- [Vulnerability Documentation Commit](https://github.com/unclecode/crawl4ai/commit/c66f3276fd355031c8632500911fe7041ad6fc14)\n- [Crawl4AI Migration Guide (0.9.0)](https://github.com/unclecode/crawl4ai/blob/main/deploy/docker/MIGRATION.md)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-R253-R9JW-QG44) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-18T19:02:49.000000Z"} https://vulnerability.circl.lu/sighting/135c719d-446b-426e-b8f4-8a6815358bed/export Thu, 18 Jun 2026 19:02:49 +0000 564f3e0a-578a-4614-ad18-a8d5ab490f4a https://vulnerability.circl.lu/sighting/564f3e0a-578a-4614-ad18-a8d5ab490f4a/export {"uuid": "564f3e0a-578a-4614-ad18-a8d5ab490f4a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-R253-R9JW-QG44", "type": "seen", "source": "https://gist.github.com/alon710/8121a7bd1aab2652430c302c53a0527a", "content": "# GHSA-R253-R9JW-QG44: GHSA-R253-R9JW-QG44: Unauthenticated Remote Code Execution in Crawl4AI via Chromium Launch-Argument Injection\n\n> **CVSS Score:** 10.0\n> **Published:** 2026-06-18\n> **Full Report:** https://cvereports.com/reports/GHSA-R253-R9JW-QG44\n\n## Summary\nA critical unauthenticated remote code execution vulnerability exists in Crawl4AI versions up to 0.8.9. The flaw is caused by improper neutralization of command arguments passed to the Chromium process execution engine via the browser_config.extra_args parameter, enabling remote attackers to execute arbitrary shell commands inside the container.\n\n## TL;DR\nUnauthenticated remote command injection via Chromium process-replacement switches in Crawl4AI <= 0.8.9.\n\n## Technical Details\n\n- **CWE ID**: CWE-88 / CWE-94\n- **Attack Vector**: Network\n- **CVSS Score**: 10.0 (Critical)\n- **Exploit Status**: PoC Available\n- **Affected Component**: Docker API server request parsing\n- **Patched Version**: 0.9.0\n\n## Affected Systems\n\n- Crawl4AI self-hosted Docker API server\n\n## Mitigation\n\n- Upgrade Crawl4AI to version 0.9.0 or later\n- Enable API Token Authentication\n- Restrict network exposure of the container port\n\n**Remediation Steps:**\n1. Pull the official Docker image tagged with version 0.9.0 or later.\n2. If using pip, run 'pip install crawl4ai>=0.9.0' to update the library.\n3. Set the 'CRAWL4AI_API_TOKEN' environment variable in your deployment configuration to enable authorization checks.\n4. Bind the container API port (11235) to 127.0.0.1 or place it behind a firewall/VPN.\n\n## References\n\n- [GitHub Security Advisory GHSA-R253-R9JW-QG44](https://github.com/advisories/GHSA-R253-R9JW-QG44)\n- [Crawl4AI Repository](https://github.com/unclecode/crawl4ai)\n- [Vulnerability Fix Commit](https://github.com/unclecode/crawl4ai/commit/60886d1a0c52682e4c83a7cef9dfac417fff6bd2)\n- [Vulnerability Documentation Commit](https://github.com/unclecode/crawl4ai/commit/c66f3276fd355031c8632500911fe7041ad6fc14)\n- [Crawl4AI Migration Guide (0.9.0)](https://github.com/unclecode/crawl4ai/blob/main/deploy/docker/MIGRATION.md)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-R253-R9JW-QG44) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-18T19:11:23.000000Z"} {"uuid": "564f3e0a-578a-4614-ad18-a8d5ab490f4a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-R253-R9JW-QG44", "type": "seen", "source": "https://gist.github.com/alon710/8121a7bd1aab2652430c302c53a0527a", "content": "# GHSA-R253-R9JW-QG44: GHSA-R253-R9JW-QG44: Unauthenticated Remote Code Execution in Crawl4AI via Chromium Launch-Argument Injection\n\n> **CVSS Score:** 10.0\n> **Published:** 2026-06-18\n> **Full Report:** https://cvereports.com/reports/GHSA-R253-R9JW-QG44\n\n## Summary\nA critical unauthenticated remote code execution vulnerability exists in Crawl4AI versions up to 0.8.9. The flaw is caused by improper neutralization of command arguments passed to the Chromium process execution engine via the browser_config.extra_args parameter, enabling remote attackers to execute arbitrary shell commands inside the container.\n\n## TL;DR\nUnauthenticated remote command injection via Chromium process-replacement switches in Crawl4AI <= 0.8.9.\n\n## Technical Details\n\n- **CWE ID**: CWE-88 / CWE-94\n- **Attack Vector**: Network\n- **CVSS Score**: 10.0 (Critical)\n- **Exploit Status**: PoC Available\n- **Affected Component**: Docker API server request parsing\n- **Patched Version**: 0.9.0\n\n## Affected Systems\n\n- Crawl4AI self-hosted Docker API server\n\n## Mitigation\n\n- Upgrade Crawl4AI to version 0.9.0 or later\n- Enable API Token Authentication\n- Restrict network exposure of the container port\n\n**Remediation Steps:**\n1. Pull the official Docker image tagged with version 0.9.0 or later.\n2. If using pip, run 'pip install crawl4ai>=0.9.0' to update the library.\n3. Set the 'CRAWL4AI_API_TOKEN' environment variable in your deployment configuration to enable authorization checks.\n4. Bind the container API port (11235) to 127.0.0.1 or place it behind a firewall/VPN.\n\n## References\n\n- [GitHub Security Advisory GHSA-R253-R9JW-QG44](https://github.com/advisories/GHSA-R253-R9JW-QG44)\n- [Crawl4AI Repository](https://github.com/unclecode/crawl4ai)\n- [Vulnerability Fix Commit](https://github.com/unclecode/crawl4ai/commit/60886d1a0c52682e4c83a7cef9dfac417fff6bd2)\n- [Vulnerability Documentation Commit](https://github.com/unclecode/crawl4ai/commit/c66f3276fd355031c8632500911fe7041ad6fc14)\n- [Crawl4AI Migration Guide (0.9.0)](https://github.com/unclecode/crawl4ai/blob/main/deploy/docker/MIGRATION.md)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-R253-R9JW-QG44) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-18T19:11:23.000000Z"} https://vulnerability.circl.lu/sighting/564f3e0a-578a-4614-ad18-a8d5ab490f4a/export Thu, 18 Jun 2026 19:11:23 +0000 5ee857bc-7eeb-4719-9f7b-82fb8ac41b79 https://vulnerability.circl.lu/sighting/5ee857bc-7eeb-4719-9f7b-82fb8ac41b79/export {"uuid": "5ee857bc-7eeb-4719-9f7b-82fb8ac41b79", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-R253-R9JW-QG44", "type": "seen", "source": "https://gist.github.com/alon710/9e535e41085b7a2a9ed1e2ab38f56b56", "content": "# GHSA-R253-R9JW-QG44: GHSA-R253-R9JW-QG44: Unauthenticated Remote Code Execution in Crawl4AI via Chromium Launch-Argument Injection\n\n> **CVSS Score:** 10.0\n> **Published:** 2026-06-18\n> **Full Report:** https://cvereports.com/reports/GHSA-R253-R9JW-QG44\n\n## Summary\nA critical unauthenticated remote code execution vulnerability exists in Crawl4AI versions up to 0.8.9. The flaw is caused by improper neutralization of command arguments passed to the Chromium process execution engine via the browser_config.extra_args parameter, enabling remote attackers to execute arbitrary shell commands inside the container.\n\n## TL;DR\nUnauthenticated remote command injection via Chromium process-replacement switches in Crawl4AI <= 0.8.9.\n\n## Technical Details\n\n- **CWE ID**: CWE-88 / CWE-94\n- **Attack Vector**: Network\n- **CVSS Score**: 10.0 (Critical)\n- **Exploit Status**: PoC Available\n- **Affected Component**: Docker API server request parsing\n- **Patched Version**: 0.9.0\n\n## Affected Systems\n\n- Crawl4AI self-hosted Docker API server\n\n## Mitigation\n\n- Upgrade Crawl4AI to version 0.9.0 or later\n- Enable API Token Authentication\n- Restrict network exposure of the container port\n\n**Remediation Steps:**\n1. Pull the official Docker image tagged with version 0.9.0 or later.\n2. If using pip, run 'pip install crawl4ai>=0.9.0' to update the library.\n3. Set the 'CRAWL4AI_API_TOKEN' environment variable in your deployment configuration to enable authorization checks.\n4. Bind the container API port (11235) to 127.0.0.1 or place it behind a firewall/VPN.\n\n## References\n\n- [GitHub Security Advisory GHSA-R253-R9JW-QG44](https://github.com/advisories/GHSA-R253-R9JW-QG44)\n- [Crawl4AI Repository](https://github.com/unclecode/crawl4ai)\n- [Vulnerability Fix Commit](https://github.com/unclecode/crawl4ai/commit/60886d1a0c52682e4c83a7cef9dfac417fff6bd2)\n- [Vulnerability Documentation Commit](https://github.com/unclecode/crawl4ai/commit/c66f3276fd355031c8632500911fe7041ad6fc14)\n- [Crawl4AI Migration Guide (0.9.0)](https://github.com/unclecode/crawl4ai/blob/main/deploy/docker/MIGRATION.md)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-R253-R9JW-QG44) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-18T19:21:43.000000Z"} {"uuid": "5ee857bc-7eeb-4719-9f7b-82fb8ac41b79", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-R253-R9JW-QG44", "type": "seen", "source": "https://gist.github.com/alon710/9e535e41085b7a2a9ed1e2ab38f56b56", "content": "# GHSA-R253-R9JW-QG44: GHSA-R253-R9JW-QG44: Unauthenticated Remote Code Execution in Crawl4AI via Chromium Launch-Argument Injection\n\n> **CVSS Score:** 10.0\n> **Published:** 2026-06-18\n> **Full Report:** https://cvereports.com/reports/GHSA-R253-R9JW-QG44\n\n## Summary\nA critical unauthenticated remote code execution vulnerability exists in Crawl4AI versions up to 0.8.9. The flaw is caused by improper neutralization of command arguments passed to the Chromium process execution engine via the browser_config.extra_args parameter, enabling remote attackers to execute arbitrary shell commands inside the container.\n\n## TL;DR\nUnauthenticated remote command injection via Chromium process-replacement switches in Crawl4AI <= 0.8.9.\n\n## Technical Details\n\n- **CWE ID**: CWE-88 / CWE-94\n- **Attack Vector**: Network\n- **CVSS Score**: 10.0 (Critical)\n- **Exploit Status**: PoC Available\n- **Affected Component**: Docker API server request parsing\n- **Patched Version**: 0.9.0\n\n## Affected Systems\n\n- Crawl4AI self-hosted Docker API server\n\n## Mitigation\n\n- Upgrade Crawl4AI to version 0.9.0 or later\n- Enable API Token Authentication\n- Restrict network exposure of the container port\n\n**Remediation Steps:**\n1. Pull the official Docker image tagged with version 0.9.0 or later.\n2. If using pip, run 'pip install crawl4ai>=0.9.0' to update the library.\n3. Set the 'CRAWL4AI_API_TOKEN' environment variable in your deployment configuration to enable authorization checks.\n4. Bind the container API port (11235) to 127.0.0.1 or place it behind a firewall/VPN.\n\n## References\n\n- [GitHub Security Advisory GHSA-R253-R9JW-QG44](https://github.com/advisories/GHSA-R253-R9JW-QG44)\n- [Crawl4AI Repository](https://github.com/unclecode/crawl4ai)\n- [Vulnerability Fix Commit](https://github.com/unclecode/crawl4ai/commit/60886d1a0c52682e4c83a7cef9dfac417fff6bd2)\n- [Vulnerability Documentation Commit](https://github.com/unclecode/crawl4ai/commit/c66f3276fd355031c8632500911fe7041ad6fc14)\n- [Crawl4AI Migration Guide (0.9.0)](https://github.com/unclecode/crawl4ai/blob/main/deploy/docker/MIGRATION.md)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-R253-R9JW-QG44) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-18T19:21:43.000000Z"} https://vulnerability.circl.lu/sighting/5ee857bc-7eeb-4719-9f7b-82fb8ac41b79/export Thu, 18 Jun 2026 19:21:43 +0000