COOEY // HUBcompliance · community · intelligence

Exposures › CVE-2026-56260

CVE-2026-56260

Severity
critical
Source
NVD · cve
Published
2026-07-12
CVSS
9.1
Reference
https://nvd.nist.gov/vuln/detail/CVE-2026-56260
shame 45/100 unpatchedexploited-in-wild

Crawl4AI's Docker API server allows arbitrary file writes via unsanitized path inputs, enabling attackers to overwrite critical system files.

CVE-2026-56260 in Crawl4AI before 0.8.7 permits attackers to write arbitrary files to writable locations via unsanitized path inputs on the Docker API server's /screenshot and /pdf endpoints. This flaw enables denial of service and potential privilege escalation by overwriting server files, posing a significant risk to DIB organizations relying on Crawl4AI for data processing or AI-driven workflows.

Shame score — The vulnerability stems from a lack of input validation on a public-facing API endpoint, allowing attackers to overwrite critical system files.

Description

Crawl4AI before 0.8.7 contains an arbitrary file write vulnerability in the Docker API server's /screenshot and /pdf endpoints. The output_path parameter accepts arbitrary filesystem paths without validation, allowing an attacker to supply absolute or path-traversal values to write to any location writable by the application's user, overwriting server files and causing denial of service.

Affected FedRAMP products 0 in the catalog

No correlated FedRAMP products.