Vulnerabilities
Vulnerable Software
Kidocode:  >> Crawl4ai  >> 0.8.6  Security Vulnerabilities
Crawl4AI before 0.8.7 contains a stored cross-site scripting vulnerability in the monitor dashboard that renders crawl URLs and error messages via innerHTML without escaping. An attacker can submit a crafted crawl request with malicious markup that executes in an operator's browser when viewing the dashboard.
CVSS Score
5.3
EPSS Score
0.002
Published
2026-06-23
Crawl4AI before 0.8.7 contains a server-side request forgery vulnerability in the /crawl, /crawl/stream, /md, and /llm endpoints that fetch arbitrary user-supplied URLs without validation. Unauthenticated attackers can bypass the internal-address blocklist using IPv6-mapped IPv4 addresses to reach internal services and cloud metadata endpoints.
CVSS Score
9.2
EPSS Score
0.003
Published
2026-06-22
Crawl4AI before 0.8.7 contains an authentication bypass vulnerability due to a hardcoded default JWT signing key in the Docker API server. Attackers who know the default key can forge valid authentication tokens for any user, bypassing authentication and gaining full access to protected functionality.
CVSS Score
9.3
EPSS Score
0.004
Published
2026-06-21


Contact Us

Shodan ® - All rights reserved