CVE-2026-42601— ArchiveBox Vulnerable to RCE via unvalidated per-crawl config overrides in AddView

AI Predicted 9.8 Difficulty: Easy EPSS 0.06% · P19 Updated May 15, 2026

Possible ATT&CK Techniques 2AI

T1059 · Command and Scripting Interpreter T1190 · Exploit Public-Facing Application

Affected Version Matrix 1

Vendor	Product	Version Range	Status
ArchiveBox	ArchiveBox	`<= 0.8.6rc0`	affected

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-42601

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

ArchiveBox Vulnerable to RCE via unvalidated per-crawl config overrides in AddView

Source: NVD (National Vulnerability Database)

Vulnerability Description

ArchiveBox is an open source self-hosted web archiving system. In versions 0.8.6rc0 and prior, the /add/ endpoint (AddView in core/views.py) accepts a config JSON field that gets merged into the crawl config without validation. This config is exported as environment variables when archive plugins run, allowing injection of arbitrary tool arguments to achieve RCE. At time of publication, there are no publicly available patches.

Source: NVD (National Vulnerability Database)

CVSS Information

N/A

Source: NVD (National Vulnerability Database)

Vulnerability Type

参数注入或修改

Source: NVD (National Vulnerability Database)

Vulnerability Title

ArchiveBox 参数注入漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

ArchiveBox是ArchiveBox开源的一个功能强大的自托管互联网存档解决方案，用于收集、保存和查看您想要离线保存的网站。 ArchiveBox 0.8.6rc0及之前版本存在参数注入漏洞，该漏洞源于/add/端点接受未经验证的config JSON字段并合并到爬取配置中，可能导致注入任意工具参数实现远程代码执行。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
ArchiveBox	ArchiveBox	<= 0.8.6rc0	-

II. Public POCs for CVE-2026-42601

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2026-42601

请登录查看更多情报信息。

Vendor Advisories for CVE-2026-42601 (1)

RCE via unvalidated per-crawl config overrides in AddView · Advisory · ArchiveBox/ArchiveBox · GitHubx_refsource_CONFIRM

https://nvd.nist.gov/vuln/detail/CVE-2026-42601

IV. Related Vulnerabilities

Same product: ArchiveBox

CVE-2023-45815
Viewing wget extractor output while logged in as an admin al

Same vendor: ArchiveBox

CVE-2023-45815
Viewing wget extractor output while logged in as an admin al

Same weakness: CWE-88

V. Comments for CVE-2026-42601

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2026-42601— ArchiveBox Vulnerable to RCE via unvalidated per-crawl config overrides in AddView

Possible ATT&CK Techniques 2AI

Affected Version Matrix 1

I. Basic Information for CVE-2026-42601

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2026-42601

III. Intelligence Information for CVE-2026-42601

Vendor Advisories for CVE-2026-42601 (1)

IV. Related Vulnerabilities

V. Comments for CVE-2026-42601

Leave a comment