GHSA-7cx2-g3h9-382p: Crawl4AI: Arbitrary file write (symlink/TOCTOU) plus log and webhook-header injection in Docker server

June 16, 2026

Three backward-compatible hardening fixes in the Docker API server. The headline issue is an arbitrary file write via the screenshot/PDF output_path.

References

github.com/advisories/GHSA-7cx2-g3h9-382p
github.com/unclecode/crawl4ai/issues/1
github.com/unclecode/crawl4ai/issues/2
github.com/unclecode/crawl4ai/pull/3
github.com/unclecode/crawl4ai/security/advisories/GHSA-7cx2-g3h9-382p

Code Behaviors & Features

Detect and mitigate GHSA-7cx2-g3h9-382p with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →