Home Embedded Vulns General Vulns

CVE-2026-53753

CRITICAL 9.8

Our Analysis: Environment Specific

Our model has classified this vulnerability as relevant to Environment Specific Systems, helping your team prioritize efforts effectively.

Published Date June 23, 2026
Last Modified June 23, 2026
CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

Crawl4AI is an open-source LLM friendly web crawler & scraper. Prior to 0.8.7, the _safe_eval_expression() function in the computed fields feature uses an AST validator that only blocks attributes starting with underscore. Python generator and frame object attributes (gi_frame, f_back, f_builtins) do NOT start with underscore, enabling a complete sandbox escape to achieve arbitrary code execution. The attack requires no authentication (JWT disabled by default) and is triggered via POST /crawl with a crafted extraction schema. This vulnerability is fixed in 0.8.7.

Potentially Affected Vendors