PatchSiren cyber security CVE debrief
CVE-2026-42601 Unknown Vendor CVE debrief
CVE-2026-42601 is a critical ArchiveBox vulnerability affecting versions 0.8.6rc0 and earlier. According to the published advisory text, the /add/ endpoint accepts a config JSON field that is merged into the crawl configuration without validation. That configuration is then exported as environment variables when archive plugins run, creating an argument-injection path that can be abused to achieve remote code execution. At the time of publication, no public patches were available.
- Vendor
- Unknown Vendor
- Product
- Unknown
- CVSS
- CRITICAL 9.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-09
- Original CVE updated
- 2026-05-09
- Advisory published
- 2026-05-09
- Advisory updated
- 2026-05-09
Who should care
Operators and administrators of ArchiveBox deployments, especially any instance that exposes the /add/ endpoint to untrusted users or the internet. Security teams responsible for self-hosted web archiving infrastructure should treat this as an urgent remediation item.
Technical summary
The core issue is unvalidated merging of user-supplied config data in AddView (/add/ endpoint in core/views.py). Because the crawl config is later exported into environment variables for archive plugin execution, attacker-controlled values can influence downstream tool arguments. NVD records the issue as CVSS 9.3 Critical and maps it to CWE-88 (Argument Injection or Modification). The supplied sources state the affected range as ArchiveBox 0.8.6rc0 and prior, and they indicate no public patch was available when the CVE was published.
Defensive priority
Immediate. This is a network-reachable, unauthenticated path to RCE in the published description, so internet-facing or broadly accessible ArchiveBox instances should be prioritized for containment, access restriction, and version remediation as soon as a fixed release becomes available.
Recommended defensive actions
- Identify all ArchiveBox instances and confirm whether any are running version 0.8.6rc0 or earlier.
- Restrict access to the /add/ endpoint to trusted users only; place the application behind authentication and network controls if it is currently exposed.
- Treat plugin execution paths as high risk until a fixed version is available; isolate ArchiveBox and its plugin runtime as much as possible.
- Monitor the official ArchiveBox security advisory and NVD record for patch availability or updated guidance.
- Review application and proxy logs for unusual /add/ submissions or unexpected crawl-config values.
- If exposure cannot be reduced immediately, consider temporarily disabling public access to the affected functionality until remediation is available.
Evidence notes
The source corpus contains an NVD record published on 2026-05-09T20:16:29.873Z and a GitHub security advisory reference (GHSA-3h23-7824-pj8r). The provided description states that ArchiveBox versions 0.8.6rc0 and prior are affected, that /add/ merges an unvalidated config JSON field into crawl configuration, that this config is exported as environment variables during archive plugin execution, and that no public patches were available at publication. NVD lists CVSS 9.3 (Critical) and CWE-88.
Official resources
-
CVE-2026-42601 CVE record
CVE.org
-
CVE-2026-42601 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
Published on 2026-05-09. The supplied materials indicate the issue was publicly disclosed then, with no public patch available at that time.