Vulnerabilities
Vulnerable Software

Vulnerability Details CVE-2026-56266

Crawl4AI before 0.8.7 contains a server-side request forgery vulnerability in the /crawl, /crawl/stream, /md, and /llm endpoints that fetch arbitrary user-supplied URLs without validation. Unauthenticated attackers can bypass the internal-address blocklist using IPv6-mapped IPv4 addresses to reach internal services and cloud metadata endpoints.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 20.7%
CVSS Severity
CVSS v3 Score 8.6
Products affected by CVE-2026-56266


Contact Us

Shodan ® - All rights reserved