CVE-2026-46497

Description

Crawlee is a web scraping and browser automation library. From version 1.0.0 to before version 1.7.0, Crawlee is vulnerable to SSRF via sitemap-derived URLs. This issue has been patched in version 1.7.0.

CVSS breakdown

CVSS 4.0

Attack Vector

Network

Attack Complexity

Low

Attack Requirements

Present

Privileges Required

None

User Interaction

Passive

Confidentiality (Vulnerable System)

Low

Integrity (Vulnerable System)

None

Availability (Vulnerable System)

None

Confidentiality (Subsequent System)

Low

Integrity (Subsequent System)

None

Availability (Subsequent System)

None

Affected products

apify / crawlee-python>= 1.0.0, < 1.7.0 – >= 1.0.0, < 1.7.0

References

VENDOR_ADVISORYhttps://github.com/apify/crawlee-python/security/advisories/GHSA-3r75-xc34-5f44
PATCHhttps://github.com/apify/crawlee-python/releases/tag/v1.7.0