PatchSiren cyber security CVE debrief
CVE-2026-46497 apify CVE debrief
Crawlee, a web scraping and browser automation library, is vulnerable to SSRF via sitemap-derived URLs from version 1.0.0 to before version 1.7.0. This issue is patched in version 1.7.0.
- Vendor
- apify
- Product
- crawlee-python
- CVSS
- LOW 2.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-10
Who should care
Users of Crawlee library versions between 1.0.0 and 1.7.0.
Technical summary
The Crawlee library is vulnerable to Server-Side Request Forgery (SSRF) via sitemap-derived URLs. This vulnerability exists from version 1.0.0 up to but not including version 1.7.0. The issue has been addressed with the release of version 1.7.0.
Defensive priority
LOW
Recommended defensive actions
- Upgrade Crawlee library to version 1.7.0 or later.
Evidence notes
CVE-2026-46497 has a CVSS score of 2.3, indicating a low severity vulnerability.
Official resources
CVE-2026-46497 was published on 2026-06-10T16:17:08.890Z and modified on 2026-06-10T20:19:06.020Z.