CVE-2026-26216 - Vulnerability Analysis
CriticalCVSS: 10.0Last Updated: February 13, 2026
Crawl4AI - Remote Code Execution
Overview
Crawl4AI < 0.8.0 contains a remote code execution caused by unsafe use of exec() on the hooks parameter in the Docker API /crawl endpoint, letting unauthenticated remote attackers execute arbitrary code.
Severity & Score
Impact
Unauthenticated attackers can execute arbitrary code, leading to full server compromise and lateral movement.
Mitigation
Update to version 0.8.0 or later.
References
Social Media Activity(3 posts)
š“ New security advisory: CVE-2026-26216 affects multiple systems. ā¢ Impact: Remote code execution or complete system compromise possible ā¢ Risk: Attackers can gain full control of affected systems ā¢ Mitigation: Patch immediately or isolate affected systems Full breakdown: https://advisory.yazoul.net/cve/cve-2026-26216 #Cybersecurity #PatchNow #InfoSecCommunity
View original post
š“ CVE-2026-26216 - Critical (10) Crawl4AI versions prior to 0.8.0 contain a remote code execution vulnerability in the Docker API deployment. The /crawl endpoint accepts a hooks parameter containing Python code that is executed using exec(). The __import__ builtin was included in... š https://www.thehackerwire.com/vulnerability/CVE-2026-26216/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post
ā ļø CRITICAL RCE (CVE-2026-26216) in Crawl4AI <0.8.0: /crawl endpoint allows unauthenticated Python code injection via exec(), enabling server takeover & lateral movement. Restrict access, monitor activity, upgrade ASAP. https://radar.offseq.com/threat/cve-2026-26216-cwe-94-improper-control-of-generati-09f71e54 #OffSeq #CVE202626216 #infosec #RCE
View original postRelated Resources
Details
- CVE ID
- CVE-2026-26216
- Severity
- Critical
- CVSS Score
- 10.0
- Type
- command_injection
- Status
- unconfirmed
- EPSS
- 20.1%
- Social Posts
- 3
CWE
- CWE-94
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H