CVE-2026-26216

216.73.217.22

· Published 12/02/2026 16:16 · Modified 13/02/2026 14:23

Labels: CVE-2026-26216 2026-02-12 CVE-2026-26216 CWE-94 [email protected]

Essential information

Published: 12/02/2026 16:16
Modified: 13/02/2026 14:23
Author: —
Creator: —
CVSS: 10.0 CRITICAL (v3) 10.0 CRITICAL (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

Crawl4AI versions prior to 0.8.0 contain a remote code execution vulnerability in the Docker API deployment. The /crawl endpoint accepts a hooks parameter containing Python code that is executed using exec(). The __import__ builtin was included in the allowed builtins, allowing unauthenticated remote attackers to import arbitrary modules and execute system commands. Successful exploitation allows full server compromise, including arbitrary command execution, file read and write access, sensitive data exfiltration, and lateral movement within internal networks.

NVD status

Status: Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
crawl4ai / crawl4ai	`cpe:2.3:a:crawl4ai:crawl4ai:<0.8.0:::::::*`