CVE-2026-42601
CRITICALArchiveBox Vulnerable to RCE via unvalidated per-crawl config overrides in AddView
Title source: cnaDescription
ArchiveBox is an open source self-hosted web archiving system. In versions 0.8.6rc0 and prior, the /add/ endpoint (AddView in core/views.py) accepts a config JSON field that gets merged into the crawl config without validation. This config is exported as environment variables when archive plugins run, allowing injection of arbitrary tool arguments to achieve RCE. At time of publication, there are no publicly available patches.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/ArchiveBox/ArchiveBox/security/advisories/GHSA-3h23-7824-pj8r
Scores
CVSS v3
9.8
EPSS
0.0006
EPSS Percentile
19.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-88
Status
published
Products (4)
archivebox/archivebox
0.8.6 rc0
archivebox/archivebox
< 0.8.6
ArchiveBox/ArchiveBox
<= 0.8.6rc0
pypi/archivebox
0 - 0.8.6rc0PyPI
Published
May 09, 2026
Tracked Since
May 10, 2026