CVE-2026-46497 LOW

CVE-2026-46497: SSRF via sitemap-derived URLs in Crawlee for Python

Vendor Apify

Product crawlee-python

Weakness CWE-918 · SSRF

Published June 10, 2026

Last update June 10, 2026

View on NVD All CVEs

CVSS base score

2.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

What the vulnerability does

Description

Crawlee is a web scraping and browser automation library. From version 1.0.0 to before version 1.7.0, Crawlee is vulnerable to SSRF via sitemap-derived URLs. This issue has been patched in version 1.7.0.

Key dates

Disclosure timeline

June 10, 2026 CVE published

June 10, 2026 Record updated