CVE-2026-42601 CRITICAL

CVE-2026-42601: ArchiveBox Vulnerable to RCE via unvalidated per-crawl config overrides in AddView

Vendor Archivebox
Product ArchiveBox
Weakness CWE-88
Published May 9, 2026
Last update May 11, 2026

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

ArchiveBox is an open source self-hosted web archiving system. In versions 0.8.6rc0 and prior, the /add/ endpoint (AddView in core/views.py) accepts a config JSON field that gets merged into the crawl config without validation. This config is exported as environment variables when archive plugins run, allowing injection of arbitrary tool arguments to achieve RCE. At time of publication, there are no publicly available patches.

Key dates

02Disclosure timeline

May 9, 2026 CVE published
May 11, 2026 Record updated