Description
Crawl4AI before 0.8.7 contains a stored cross-site scripting vulnerability in the monitor dashboard that renders crawl URLs and error messages via innerHTML without escaping. An attacker can submit a crafted crawl request with malicious markup that executes in an operator's browser when viewing the dashboard.
Severity (CVSS)
| Base score | 5.3 |
|---|---|
| Severity | Medium |
| Version | CVSS 4.0 |
| Vector | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N |
| Provided by | CNA |
Weaknesses
- CWE-79 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Affected products
| Vendor | Product | Versions |
|---|---|---|
| Crawl4AI | Crawl4AI | 0 to <0.8.7; 0.8.7 |
References
Generated from the official CVE List on 24 Jun 2026 09:35 UTC.