In ArchiveBox versions up to and including 0.6.2 a medium severity vulnerability CVE-2023-45815 was detected. This vulnerability allows an attacker to execute malicious JavaScript in the context of a user’s session, leading to Stored Cross-Site Scripting (XSS) and potential account takeover. This occurs because ArchiveBox serves archived content from the same host and port as its admin panel, which bypasses standard browser CORS and CSRF protections. If a user utilizes the wget extractor to archive a maliciously crafted page and subsequently views the output, the embedded JavaScript executes. For authenticated administrators, this allows the script to silently perform admin actions, such as adding, modifying, or removing snapshots and users. For unauthenticated users, the script can still read all other archived content. To address this issue, users should upgrade ArchiveBox to version 0.9.0 or later. As a temporary mitigation, administrators can disable the wget extractor by setting SAVE_WGET=False, ensure they are logged out before viewing archives, or serve a static HTML version of the archive. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2023-45815.
In ArchiveBox versions 0.8.6rc0 and prior a critical severity vulnerability CVE-2026-42601 was detected. This vulnerability allows attackers to achieve Remote Code Execution (RCE) by injecting arbitrary tool arguments. This occurs because the /add/ endpoint accepts a config JSON field that is merged into the crawl configuration without validation and exported as environment variables when archive plugins run. At the time of publication, there are no publicly available patches; users should monitor for updates or apply appropriate mitigations. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-42601.
Read more Utility