Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-42601 -- CVSS 9.8 Vulnerability Briefing

CVE-2026-42601 | CVSS 9.8 (Critical) | Exploit: No known exploit

What Is It

CVE-2026-42601 is a critical configuration injection vulnerability in ArchiveBox, an open source self-hosted web archiving platform developed by Archivebox, affecting the /add/ endpoint exposed in the application's web interface.

Technical Detail

The flaw exists in the AddView handler within core/views.py, where the /add/ endpoint accepts a user-supplied config JSON field that is merged directly into the crawl configuration without adequate sanitization or restriction. An attacker who can reach this endpoint can inject arbitrary configuration parameters, potentially overriding security-relevant settings or specifying execution paths that result in remote code execution on the host system. The severity of impact depends on the privileges under which ArchiveBox runs, but given that self-hosted instances frequently operate with elevated system access, successful exploitation could result in full host compromise. All versions through 0.8.6rc0 are confirmed affected.

Exploitation Status

No known exploit code has been publicly observed or confirmed as of this writing. This vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog. The exploit maturity is assessed as no known exploit at this time, though the high CVSS score of 9.8 and the straightforward nature of the injection vector suggest that functional exploit development would not be technically complex.

Who Is Targeting This

No specific threat actor attribution at this time. No campaigns or targeted sectors have been associated with this vulnerability. Given that ArchiveBox is typically deployed by journalists, researchers, and privacy-focused individuals, opportunistic attackers scanning for exposed self-hosted instances represent the most plausible near-term threat profile.

What To Do

Operators running ArchiveBox version 0.8.6rc0 or earlier should treat this as a high-priority remediation item given the critical CVSS rating and the potential for unauthenticated or low-privilege exploitation. Check the official ArchiveBox GitHub repository for a patched release and apply it immediately upon availability. As an interim workaround, restrict network access to the /add/ endpoint using firewall rules, reverse proxy authentication controls, or network segmentation so that only trusted users can reach the interface. Avoid exposing ArchiveBox instances directly to the public internet until a patch is applied. Monitor web server logs for unexpected or malformed JSON submissions to the /add/ endpoint as a detection signal.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →