External risk intelligence

ArchiveBox can be remotely controlled by an attacker

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-42601

ArchiveBox has a critical flaw allowing anyone to run commands on your server by sending it bad data, potentially giving attackers full control.

4Halo Surface Signal

Archivebox

before 0.8.60.8.6

External exposure likelihood

Halo Surface Signal score for CVE-2026-42601

ArchiveBox is a web-based service providing archiving functionality via an HTTP endpoint. It is commonly deployed as a web application accessible by users to submit archiving requests. The vulnerability resides in the primary endpoint used to ingest this data, and the application architecture commonly involves web access, making it likely to be reachable from the network.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

An issue in ArchiveBox allows attackers to inject commands that run on the server when it processes specially crafted configuration data. This means someone could potentially take control of the server.

  • Affects systems accepting configuration.
  • Leads to arbitrary code execution.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker could exploit this by sending specially crafted JSON data to the `/add/` endpoint. This data would manipulate the crawl configuration, leading to the injection of malicious arguments into environment variables used by archive plugins, ultimately enabling remote code execution on the server.

  • No authentication required.
  • Targets the `/add/` endpoint.
  • Relies on unvalidated JSON input.

Live Threat

Current exploitation, exposure, and threat context

Attackers may find this vulnerability appealing due to its critical severity and the potential for unauthenticated remote code execution. The lack of immediate public patches further increases its attractiveness.

  • No patches available yet.
  • Public exploit is not yet known.
  • Targets web accessible service.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize containment and monitoring for ArchiveBox instances, as a reliable public exploit exists and no patches are available for this critical vulnerability. Actively search logs and telemetry for signs of exploitation targeting the `/add/` endpoint, and if malicious traffic is detected, immediately block the offending IP addresses. Inventory all ArchiveBox deployments to understand the scope of potential exposure.

  • Isolate affected services immediately.
  • Monitor network traffic for suspicious activity.
  • Block malicious IP addresses targeting `/add/` endpoint.

Frequently asked questions

What is ArchiveBox and what is it used for?

ArchiveBox is an open-source system designed for self-hosting web archiving. It allows users to save and store copies of web pages, essentially creating a personal archive of online content.

What kind of weakness does CVE-2026-42601 represent?

CVE-2026-42601 is a classic example of a CWE-88, Argument Injection vulnerability. This means that by providing specially crafted input, an attacker can inject unintended commands or arguments into the system's operations.

How can an attacker exploit the ArchiveBox vulnerability?

An attacker could exploit this by sending a specially crafted JSON configuration to ArchiveBox's `/add/` endpoint. This unvalidated JSON data can then be used to inject arbitrary arguments into environment variables, leading to remote code execution.

Who should be concerned about this ArchiveBox vulnerability?

Organizations running ArchiveBox, especially those with internet-facing instances, should be concerned. This is because the vulnerability can be triggered remotely by unauthenticated attackers, posing a significant risk to their systems.

What is the first step to respond to this ArchiveBox threat?

Given that no patches are currently available, the immediate first step is to focus on containment and monitoring. This involves isolating affected ArchiveBox instances if possible and closely watching network traffic for any signs of exploitation targeting the `/add/` endpoint.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified