SCA: security update for Crawl4AI (GHSA-5882-5rx9-xgxp)

critical Tenable Cloud Security Plugin ID 436814

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Crawl4AI versions prior to 0.8.0 contain a remote code execution vulnerability in the Docker API
deployment. The /crawl endpoint accepts a hooks parameter containing Python code that is executed using
exec(). The __import__ builtin was included in the allowed builtins, allowing unauthenticated remote
attackers to import arbitrary modules and execute system commands. Successful exploitation allows full
server compromise, including arbitrary command execution, file read and write access, sensitive data
exfiltration, and lateral movement within internal networks. (CVE-2026-26216)

See Also

https://github.com/advisories/GHSA-5882-5rx9-xgxp

Plugin Details

Severity: Critical

ID: 436814

Version: Revision 1.9

Type: Local

Family: SCA Checks

Published: 1/17/2026

Updated: 6/24/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 94.78

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2026-26216

CVSS v3

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Critical

Base Score: 10

Threat Score: 9.1

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 1/16/2026

Vulnerability Publication Date: 1/16/2026

Reference Information

CVE: CVE-2026-26216

cwe: CWE-94