What is GHSA-wx2c-3cp2-f6qw?

GHSA-wx2c-3cp2-f6qw is a security advisory published by GitHub Security Advisories with Critical severity. Crawl4AI before 0.8.8 contains an arbitrary file write vulnerability in the screenshot and PDF...

Which CVE IDs does GHSA-wx2c-3cp2-f6qw cover?

GHSA-wx2c-3cp2-f6qw covers the following CVE IDs: CVE-2026-56258. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-wx2c-3cp2-f6qw?

GHSA-wx2c-3cp2-f6qw has a CVSS v3 base score of 8.1, published by GitHub Security Advisories.

GHSA-wx2c-3cp2-f6qwCriticalCVSS 8.1

Crawl4AI before 0.8.8 contains an arbitrary file write vulnerability in the screenshot and PDF...

Vendor

GitHub Security Advisories

Published

June 23, 2026

Last Modified

June 23, 2026

🔗 CVE IDs covered (1)

CVE-2026-56258 →

📋 Description

Crawl4AI before 0.8.8 contains an arbitrary file write vulnerability in the screenshot and PDF endpoints that allows unauthenticated attackers to write files outside the intended directory via symlink and time-of-check-time-of-use (TOCTOU) attacks on the output_path parameter. Remote attackers can exploit insufficient path validation and symlink following to achieve arbitrary file write and potential code execution on systems where the runtime user has write access to executable or cron locations.

🔗 References (4)

https://github.com/unclecode/crawl4ai/security/advisories/GHSA-7cx2-g3h9-382p
https://nvd.nist.gov/vuln/detail/CVE-2026-56258
https://www.vulncheck.com/advisories/crawl4ai-arbitrary-file-write-via-output-path-symlink-and-toctou
https://github.com/advisories/GHSA-wx2c-3cp2-f6qw