PyPI: archivebox
CVE-2026-42601
Safety vulnerability ID: SFTY-20260504-43844
Safety legacy ID: pyup.io-95898
Affected versions of the archivebox package are vulnerable to Remote Code Execution due to unvalidated merging of user-supplied per-crawl configuration overrides that are later exported as environment variables consumed by archive plugin command lines. The /add/ endpoint implemented by AddView in core/views.py extracts a config JSON field from the form at line 887 with no validation, merges it into the crawl config at line 918, and the merged values are exported as process environment variables in hooks.py lines 398 to 411, where plugins such as plugins/ytdlp/on_Snapshot__02_ytdlp.bg.py at lines 122 to 123 read variables like YTDLP_ARGS_EXTRA and append them directly to the yt-dlp argv. A remote attacker who reaches the @csrf_exempt /add/ endpoint, which is unauthenticated when PUBLIC_ADD_VIEW is true, can submit a config payload that injects arbitrary yt-dlp arguments such as --exec to execute attacker-chosen commands on the host.
Overview
ArchiveBox Vulnerable to RCE via unvalidated per-crawl config overrides in AddView
Advisory
Affected versions of the archivebox package are vulnerable to Remote Code Execution due to unvalidated merging of user-supplied per-crawl configuration overrides that are later exported as environment variables consumed by archive plugin command lines. The /add/ endpoint implemented by AddView in core/views.py extracts a config JSON field from the form at line 887 with no validation, merges it into the crawl config at line 918, and the merged values are exported as process environment variables in hooks.py lines 398 to 411, where plugins such as plugins/ytdlp/on_Snapshot__02_ytdlp.bg.py at lines 122 to 123 read variables like YTDLP_ARGS_EXTRA and append them directly to the yt-dlp argv. A remote attacker who reaches the @csrf_exempt /add/ endpoint, which is unauthenticated when PUBLIC_ADD_VIEW is true, can submit a config payload that injects arbitrary yt-dlp arguments such as --exec to execute attacker-chosen commands on the host.
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20260504-43844/CVE-2026-42601
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42601
- https://data.safetycli.com/changelogs/archivebox/
- https://github.com/advisories/GHSA-3h23-7824-pj8r
- https://pypi.org/project/archivebox
- https://github.com/ArchiveBox/ArchiveBox/security/advisories/GHSA-3h23-7824-pj8r
- https://github.com/advisories/GHSA-3h23-7824-pj8r
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more