CVE-2026-42601
Last modified
CVE-2026-42601 is a critical-severity vulnerability rated 9.3/10 on the CVSS scale. ArchiveBox is an open source self-hosted web archiving system. In versions 0.8.6rc0 and prior, the /add/ endpoint (AddView in core/views.py) accepts a config JSON field that gets merged into the crawl config without validation. EPSS estimates a 0.40% chance of exploitation in the next 30 days.
Description
ArchiveBox is an open source self-hosted web archiving system. In versions 0.8.6rc0 and prior, the /add/ endpoint (AddView in core/views.py) accepts a config JSON field that gets merged into the crawl config without validation. This config is exported as environment variables when archive plugins run, allowing injection of arbitrary tool arguments to achieve RCE. At time of publication, there are no publicly available patches.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Weakness Enumeration
Affected Software
| Vendor | Product | Versions | Update |
|---|---|---|---|
| Archivebox | Archivebox | < 0.8.6 | — |
| Archivebox | Archivebox | 0.8.6 | Rc0 |
References
- https://github.com/ArchiveBox/ArchiveBox/security/advisories/GHSA-3h23-7824-pj8rExploit, Vendor Advisory
- https://github.com/ArchiveBox/ArchiveBox/security/advisories/GHSA-3h23-7824-pj8rExploit, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-42601?
How severe is CVE-2026-42601?
How do I fix CVE-2026-42601?
Are you affected by CVE-2026-42601?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST