[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-CVE-2026-56265":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-21T19:39:16.075Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":171,"aliases":172,"duplicate_of":9,"upstream":173,"downstream":174,"duplicates":175,"related":176,"reserved_at":9,"published_at":177,"modified_at":177,"state":178,"summary":179,"references_raw":186,"kevs":202,"epss":9,"epss_history":203,"metrics":204,"affected":212},"CVE-2026-56265","Crawl4AI before 0.8.7 contains an authentication bypass vulnerability due to a hardcoded default JWT signing key in the Docker API server. Attackers who know the default key can forge valid authentication tokens for any user, bypassing authentication and gaining full access to protected functionality.",null,[11],{"_key":12,"id":12,"name":13,"description":14,"type":15,"status":16,"abstraction":17,"likelihood_of_exploit":18,"capec":19},"CWE-798","Use of Hard-coded Credentials","The product contains hard-coded credentials, such as a password or cryptographic key.","weakness","Draft","Base","High",[20,118],{"id":21,"name":22,"techniques":23},"CAPEC-191","Read Sensitive Constants Within an Executable",[24],{"id":25,"name":26,"tactics":27,"countermeasures":31},"T1552.001","Credentials In Files",[28],{"id":29,"name":30},"TA0031","Credential Access",[32,37,41,45,50,54,58,63,67,72,76,80,84,89,93,98,102,106,110,114],{"id":33,"name":34,"tactic":35},"D3-CCSA","Credential Compromise Scope Analysis",{"name":36},"Detect",{"id":38,"name":39,"tactic":40},"D3-FA","File Analysis",{"name":36},{"id":42,"name":43,"tactic":44},"D3-FIM","File Integrity Monitoring",{"name":36},{"id":46,"name":47,"tactic":48},"D3-CR","Credential Revocation",{"name":49},"Evict",{"id":51,"name":52,"tactic":53},"D3-ANCI","Authentication Cache Invalidation",{"name":49},{"id":55,"name":56,"tactic":57},"D3-FEV","File Eviction",{"name":49},{"id":59,"name":60,"tactic":61},"D3-DUC","Decoy User Credential",{"name":62},"Deceive",{"id":64,"name":65,"tactic":66},"D3-DF","Decoy File",{"name":62},{"id":68,"name":69,"tactic":70},"D3-CH","Credential Hardening",{"name":71},"Harden",{"id":73,"name":74,"tactic":75},"D3-MFA","Multi-factor Authentication",{"name":71},{"id":77,"name":78,"tactic":79},"D3-CRO","Credential Rotation",{"name":71},{"id":81,"name":82,"tactic":83},"D3-FE","File Encryption",{"name":71},{"id":85,"name":86,"tactic":87},"D3-RIC","Reissue Credential",{"name":88},"Restore",{"id":90,"name":91,"tactic":92},"D3-RF","Restore File",{"name":88},{"id":94,"name":95,"tactic":96},"D3-CTS","Credential Transmission Scoping",{"name":97},"Isolate",{"id":99,"name":100,"tactic":101},"D3-CF","Content Filtering",{"name":97},{"id":103,"name":104,"tactic":105},"D3-LFP","Local File Permissions",{"name":97},{"id":107,"name":108,"tactic":109},"D3-RFAM","Remote File Access Mediation",{"name":97},{"id":111,"name":112,"tactic":113},"D3-CQ","Content Quarantine",{"name":97},{"id":115,"name":116,"tactic":117},"D3-CM","Content Modification",{"name":97},{"id":119,"name":120,"techniques":121},"CAPEC-70","Try Common or Default Usernames and Passwords",[122],{"id":123,"name":124,"tactics":125,"countermeasures":141},"T1078.001","Default Accounts",[126,129,132,135,138],{"id":127,"name":128},"TA0030","Defense Evasion",{"id":130,"name":131},"TA0005","Stealth",{"id":133,"name":134},"TA0110","Persistence",{"id":136,"name":137},"TA0111","Privilege Escalation",{"id":139,"name":140},"TA0108","Initial Access",[142,147,151,155,159,163,167],{"id":143,"name":144,"tactic":145},"D3-AM","Access Modeling",{"name":146},"Model",{"id":148,"name":149,"tactic":150},"D3-AL","Account Locking",{"name":49},{"id":152,"name":153,"tactic":154},"D3-AA","Agent Authentication",{"name":71},{"id":156,"name":157,"tactic":158},"D3-CDP","Change Default Password",{"name":71},{"id":160,"name":161,"tactic":162},"D3-ULA","Unlock Account",{"name":88},{"id":164,"name":165,"tactic":166},"D3-RUAA","Restore User Account Access",{"name":88},{"id":168,"name":169,"tactic":170},"D3-UAP","User Account Permissions",{"name":97},[],[],[],[],[],[],"2026-06-21T13:26:54.840Z","PUBLISHED",{"cisa_kev":180,"cisa_ransomware":180,"cisa_vendor":9,"epss_severity":9,"epss_score":9,"severity":181,"severity_score":182,"severity_version":183,"severity_source":184,"severity_vector":185,"severity_status":178},false,"critical",9.8,"v3.1","cve.org","CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",[187,192,197],{"url":188,"sources":189,"tags":190},"https://github.com/unclecode/crawl4ai/security/advisories/GHSA-365w-hqf6-vxfg",[184],[191],"Vendor Advisory",{"url":193,"sources":194,"tags":195},"https://github.com/unclecode/crawl4ai",[184],[196],"Product",{"url":198,"sources":199,"tags":200},"https://www.vulncheck.com/advisories/crawl4ai-authentication-bypass-via-hardcoded-jwt-signing-key",[184],[201],"Third Party Advisory",[],[],[205],{"source":184,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":206,"cvss_v4_0":209},{"baseScore":182,"baseSeverity":207,"vectorString":185,"impactScore":182,"exploitabilityScore":208},"CRITICAL",10,{"baseScore":210,"baseSeverity":207,"vectorString":211,"impactScore":9,"exploitabilityScore":9},9.3,"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",[213],{"ecosystem":9,"name":214,"vendor":215,"product":215,"cpe_part":216,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":217},"Crawl4AI","crawl4ai","a",[218],{"version":219,"is_range":220,"range_type":184,"version_start":9,"version_start_type":9,"version_end":221,"version_end_type":222,"fixed_in":9},"\u003C 0.8.7",true,"0.8.7","excluding"]