How should we interpret CVSS severity scores?

CVSS estimates technical severity, but it does not automatically equal business risk. Prioritize using context like internet exposure, asset criticality, known exploitation, and whether compensating controls exist. A Medium CVSS on an exposed production system can be more urgent than a Critical on an isolated non-production host.

Vulnerability Database

Q: What is a Vulnerability (CVE) and why does it matter?

A security vulnerability is a weakness in software, hardware, or configuration that can be exploited to compromise confidentiality, integrity, or availability. Many vulnerabilities are tracked as CVEs (Common Vulnerabilities and Exposures), which provide a standardized identifier so teams can coordinate patching, mitigation, and risk assessment across tools and vendors.

Q: What's the difference between a vulnerability, an exploit, and a zero-day?

A vulnerability is the underlying weakness. An exploit is the method or code used to take advantage of it. A zero-day is a vulnerability that is unknown to the vendor or has no publicly available fix when attackers begin using it. Risk increases sharply when exploitation becomes reliable or widespread.

Q: Why do vulnerabilities keep reappearing in our environment?

Recurring findings usually come from incomplete asset discovery, inconsistent patch management, inherited images, and configuration drift. In modern environments, you also need to watch the software supply chain: dependencies, containers, build pipelines, and third-party services can reintroduce the same weakness even after you patch a single host.

Q: How do we prioritize remediation without burning out the team?

Use a repeatable triage model: focus first on externally exposed assets, high-value systems (identity, VPN, email, production), vulnerabilities with known exploits, and issues that enable remote code execution or privilege escalation. Then enforce patch SLAs and track progress so remediation is steady, not reactive.

Q: How can SynScan help reduce vulnerability risk over time?

SynScan combines attack surface monitoring and continuous security auditing to keep your inventory current, flag high-impact vulnerabilities early, and help you turn raw findings into a practical remediation plan.

351,760

Total vulnerabilities in the database

Crawl4AI: Multiple Docker API Vulnerabilities - File Write, SSRF, Auth Bypass, XSS, JS Execution — Crawl4AI

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Summary

Multiple security vulnerabilities in the Crawl4AI Docker API server affecting endpoints for crawling, markdown/LLM extraction, screenshots, PDFs, webhooks, monitoring, JavaScript execution, and configuration.

Vulnerabilities

1. Arbitrary File Write via /screenshot and /pdf (CWE-22, CVSS 9.1)

The output_path parameter accepts arbitrary filesystem paths with no validation. An attacker can overwrite server files (DoS) or write to any appuser-writable location.

Fix: Added validate_output_path() restricting writes to CRAWL4AI_OUTPUT_DIR (/tmp/crawl4ai-outputs by default). Added Pydantic field_validator rejecting .. traversal sequences.

2. SSRF via Webhook URL (CWE-918, CVSS 8.6)

Webhook URLs in /crawl/job and /llm/job accept internal/private IPs with no validation, enabling Server-Side Request Forgery against cloud metadata endpoints (169.254.169.254), internal services, and Docker networks.

Fix: Added validate_webhook_url() with blocklist for RFC 1918, loopback, link-local, cloud metadata IPs and hostnames. Validation at both job submission and send time. Explicit follow_redirects=False.

3. Authentication Bypass on Monitor Endpoints (CWE-306, CVSS 6.5)

The monitor router was mounted without token_dep dependency, making all monitoring endpoints (including destructive ones like /monitor/actions/cleanup) accessible without authentication.

Fix: Added dependencies=[Depends(token_dep)] to monitor router. Added explicit token check on WebSocket /monitor/ws endpoint.

4. Stored XSS in Monitor Dashboard (CWE-79, CVSS 6.1)

URLs and error messages rendered in the monitor dashboard via innerHTML without escaping, enabling stored XSS via crafted crawl URLs.

Fix: Server-side html.escape() on URL and error storage. Client-side escapeHtml() wrapper on all innerHTML template injections.

5. Arbitrary JavaScript Execution via /execute_js (CWE-94, CVSS 8.1)

The /execute_js endpoint accepts and executes arbitrary JavaScript in the server's browser with --disable-web-security enabled, combining arbitrary JS execution with SSRF capability.

Fix: Disabled by default via CRAWL4AI_EXECUTE_JS_ENABLED env var. Added SSRF blocklist on destination URL. Removed --disable-web-security from default browser args.

6. Hardcoded JWT Secret Key (CWE-798, CVSS 9.8)

The JWT signing key defaults to "mysecret" in the public source code, allowing anyone to forge valid authentication tokens.

Fix: Removed default value. Added startup validation rejecting weak/short secrets. Auto-generates ephemeral key when JWT enabled but no key set.

7. SSRF via Direct Crawl Endpoints /crawl, /md, /llm (CWE-918, CVSS 8.6)

The primary crawl entry points (/crawl, /crawl/stream, /md, /llm) fetch arbitrary user-supplied URLs with no destination validation, enabling Server-Side Request Forgery against internal services, Docker networks, and cloud metadata endpoints (169.254.169.254). A blocklist that only inspects the literal hostname is additionally bypassable via IPv6-mapped IPv4 addresses (e.g. [::ffff:169.254.169.254], [::ffff:10.0.0.1]), which resolve to the blocked private/metadata ranges but evade a naive string check.

Fix: Added URL destination validation on all crawl/md/llm entry points, reusing the SSRF blocklist (RFC 1918, loopback, link-local, cloud-metadata IPs and hostnames). IPv6-mapped IPv4 addresses are normalized to their IPv4 form before the blocklist check, closing the mapping bypass. raw:// URLs are skipped. Validation applies at request entry, not only at fetch time.

Workarounds

Upgrade to the patched version (recommended)
Set CRAWL4AI_API_TOKEN to enable authentication
Set a strong SECRET_KEY (min 32 chars) if using JWT
Restrict network access to the Docker API

Credits

Jeongbean Jeon - file write, SSRF, monitor auth bypass, stored XSS
wulonchia - file write via output_path (independent report)
by111 (August829) - hardcoded JWT, eval in /config/dump, /execute_js, hook sandbox escape
secsys_codex - SSRF via /md, /crawl, /llm endpoints + IPv6-mapped IPv4 bypass (URL destination validation)
Velayutham Selvaraj (LinkedIn) - SSRF via missing host validation in validate_url_scheme (independent report)
IcySun & Yashon - SSRF, arbitrary file write, missing-auth-by-default, hook sandbox bypass via asyncio (independent report)

Published: Jun 16, 2026
Updated: Jun 17, 2026
GHSA: GHSA-365w-hqf6-vxfg
Severity: Critical
Exploit:
CISA KEV:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWEs:

OWASP TOP 10:

Affected Software
References

Software	From	Fixed in
Crawl4AI	-	0.8.7

https://github.com/unclecode/crawl4ai/security/advisories/GHSA-365w-hqf6-vxfg

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo

Frequently Asked Questions

What is a Vulnerability (CVE) and why does it matter?

A security vulnerability is a weakness in software, hardware, or configuration that can be exploited to compromise confidentiality, integrity, or availability. Many vulnerabilities are tracked as CVEs (Common Vulnerabilities and Exposures), which provide a standardized identifier so teams can coordinate patching, mitigation, and risk assessment across tools and vendors.

CVSS (Common Vulnerability Scoring System) estimates technical severity, but it doesn't automatically equal business risk. Prioritize using context like internet exposure, affected asset criticality, known exploitation (proof-of-concept or in-the-wild), and whether compensating controls exist. A "Medium" CVSS on an exposed, production system can be more urgent than a "Critical" on an isolated, non-production host.

A vulnerability is the underlying weakness. An exploit is the method or code used to take advantage of it. A zero-day is a vulnerability that is unknown to the vendor or has no publicly available fix when attackers begin using it. In practice, risk increases sharply when exploitation becomes reliable or widespread.

Recurring findings usually come from incomplete Asset Discovery, inconsistent patch management, inherited images, and configuration drift. In modern environments, you also need to watch the software supply chain: dependencies, containers, build pipelines, and third-party services can reintroduce the same weakness even after you patch a single host. Unknown or unmanaged assets (often called Shadow IT) are a common reason the same issues resurface.

Use a simple, repeatable triage model: focus first on externally exposed assets, high-value systems (identity, VPN, email, production), vulnerabilities with known exploits, and issues that enable remote code execution or privilege escalation. Then enforce patch SLAs and track progress using consistent metrics so remediation is steady, not reactive.

SynScan combines attack surface monitoring and continuous security auditing to keep your inventory current, flag high-impact vulnerabilities early, and help you turn raw findings into a practical remediation plan.