Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
14 vulnerabilities by Arcadia Technology, LLC
CVE-2026-5652 (GCVE-0-2026-5652)
Vulnerability from nvd – Published: 2026-04-21 16:33 – Updated: 2026-04-21 17:22
VLAI
Title
Authorization Bypass Through User-Controlled Key in Crafty Controller
Summary
An insecure direct object reference vulnerability in the Users API component of Crafty Controller allows a remote, authenticated attacker to perform user modification actions via improper API permissions validation.
Severity
9 (Critical)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Arcadia Technology, LLC | Crafty Controller |
Affected:
0 , ≤ 4.10.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5652",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-21T17:21:48.540617Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T17:22:27.276Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://gitlab.com/crafty-controller/crafty-4/-/work_items/705"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Crafty Controller",
"vendor": "Arcadia Technology, LLC",
"versions": [
{
"lessThanOrEqual": "4.10.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Thank you to [Kacper Leszczy\u0144ski / szotgan](https://gitlab.com/szotgan) on GitLab for reporting this issue."
}
],
"descriptions": [
{
"lang": "en",
"value": "An insecure direct object reference vulnerability in the Users API component of Crafty Controller allows a remote, authenticated attacker to perform user modification actions via improper API permissions validation."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T16:33:56.878Z",
"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"shortName": "GitLab"
},
"references": [
{
"url": "https://gitlab.com/crafty-controller/crafty-4/-/work_items/705"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to version 4.10.3"
}
],
"title": "Authorization Bypass Through User-Controlled Key in Crafty Controller"
}
},
"cveMetadata": {
"assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"assignerShortName": "GitLab",
"cveId": "CVE-2026-5652",
"datePublished": "2026-04-21T16:33:56.878Z",
"dateReserved": "2026-04-06T05:03:53.661Z",
"dateUpdated": "2026-04-21T17:22:27.276Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0963 (GCVE-0-2026-0963)
Vulnerability from nvd – Published: 2026-01-30 06:04 – Updated: 2026-02-02 16:33
VLAI
Title
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Crafty Controller
Summary
An input neutralization vulnerability in the File Operations API Endpoint component of Crafty Controller allows a remote, authenticated attacker to perform file tampering and remote code execution via path traversal.
Severity
9.9 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://gitlab.com/crafty-controller/crafty-4/-/i… | issue-trackingpermissions-required |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Arcadia Technology, LLC | Crafty Controller |
Affected:
4.7.0 , < 4.8.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0963",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-30T14:24:06.892805Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-02T16:33:26.381Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Crafty Controller",
"vendor": "Arcadia Technology, LLC",
"versions": [
{
"lessThan": "4.8.0",
"status": "affected",
"version": "4.7.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Thank you to [Rozza / rchar](https://gitlab.com/rchar) on GitLab for reporting this issue."
}
],
"descriptions": [
{
"lang": "en",
"value": "An input neutralization vulnerability in the File Operations API Endpoint component of Crafty Controller allows a remote, authenticated attacker to perform file tampering and remote code execution via path traversal."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-30T06:04:05.503Z",
"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"shortName": "GitLab"
},
"references": [
{
"name": "GitLab Issue #660",
"tags": [
"issue-tracking",
"permissions-required"
],
"url": "https://gitlab.com/crafty-controller/crafty-4/-/issues/660"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to version 4.8.0"
}
],
"title": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) in Crafty Controller"
}
},
"cveMetadata": {
"assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"assignerShortName": "GitLab",
"cveId": "CVE-2026-0963",
"datePublished": "2026-01-30T06:04:05.503Z",
"dateReserved": "2026-01-14T20:14:16.821Z",
"dateUpdated": "2026-02-02T16:33:26.381Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0805 (GCVE-0-2026-0805)
Vulnerability from nvd – Published: 2026-01-30 06:04 – Updated: 2026-02-02 16:33
VLAI
Title
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Crafty Controller
Summary
An input neutralization vulnerability in the Backup Configuration component of Crafty Controller allows a remote, authenticated attacker to perform file tampering and remote code execution via path traversal.
Severity
8.2 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://gitlab.com/crafty-controller/crafty-4/-/i… | issue-trackingpermissions-required |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Arcadia Technology, LLC | Crafty Controller |
Affected:
4.5.0 , < 4.8.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0805",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-30T14:23:52.162136Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-02T16:33:11.255Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Crafty Controller",
"vendor": "Arcadia Technology, LLC",
"versions": [
{
"lessThan": "4.8.0",
"status": "affected",
"version": "4.5.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Thank you to [Rozza / rchar](https://gitlab.com/rchar) on GitLab for reporting this issue."
}
],
"descriptions": [
{
"lang": "en",
"value": "An input neutralization vulnerability in the Backup Configuration component of Crafty Controller allows a remote, authenticated attacker to perform file tampering and remote code execution via path traversal."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-30T06:04:15.330Z",
"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"shortName": "GitLab"
},
"references": [
{
"name": "GitLab Issue #650",
"tags": [
"issue-tracking",
"permissions-required"
],
"url": "https://gitlab.com/crafty-controller/crafty-4/-/issues/650"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to version 4.8.0"
}
],
"title": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) in Crafty Controller"
}
},
"cveMetadata": {
"assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"assignerShortName": "GitLab",
"cveId": "CVE-2026-0805",
"datePublished": "2026-01-30T06:04:15.330Z",
"dateReserved": "2026-01-09T10:40:55.812Z",
"dateUpdated": "2026-02-02T16:33:11.255Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14700 (GCVE-0-2025-14700)
Vulnerability from nvd – Published: 2025-12-17 00:04 – Updated: 2025-12-17 21:25
VLAI
Title
Improper Neutralization of Special Elements Used in a Template Engine in Crafty Controller
Summary
An input neutralization vulnerability in the Webhook Template component of Crafty Controller allows a remote, authenticated attacker to perform remote code execution via Server Side Template Injection.
Severity
9.9 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://gitlab.com/crafty-controller/crafty-4/-/i… | issue-trackingpermissions-required |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Arcadia Technology, LLC | Crafty Controller |
Affected:
4.6.1
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14700",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-17T21:24:39.127580Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-17T21:25:02.839Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Crafty Controller",
"vendor": "Arcadia Technology, LLC",
"versions": [
{
"status": "affected",
"version": "4.6.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Thank you to [Rozza / rchar](https://gitlab.com/rchar) on GitLab for reporting this issue."
}
],
"descriptions": [
{
"lang": "en",
"value": "An input neutralization vulnerability in the Webhook Template component of Crafty Controller allows a remote, authenticated attacker to perform remote code execution via Server Side Template Injection."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-17T00:04:37.049Z",
"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"shortName": "GitLab"
},
"references": [
{
"name": "GitLab Issue #646",
"tags": [
"issue-tracking",
"permissions-required"
],
"url": "https://gitlab.com/crafty-controller/crafty-4/-/issues/646"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to version 4.6.2"
}
],
"title": "Improper Neutralization of Special Elements Used in a Template Engine in Crafty Controller"
}
},
"cveMetadata": {
"assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"assignerShortName": "GitLab",
"cveId": "CVE-2025-14700",
"datePublished": "2025-12-17T00:04:37.049Z",
"dateReserved": "2025-12-14T14:48:04.696Z",
"dateUpdated": "2025-12-17T21:25:02.839Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14701 (GCVE-0-2025-14701)
Vulnerability from nvd – Published: 2025-12-17 00:04 – Updated: 2025-12-17 21:20
VLAI
Title
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Crafty Controller
Summary
An input neutralization vulnerability in the Server MOTD component of Crafty Controller allows a remote, unauthenticated attacker to perform stored XSS via server MOTD modification.
Severity
7.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://gitlab.com/crafty-controller/crafty-4/-/i… | issue-trackingpermissions-required |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Arcadia Technology, LLC | Crafty Controller |
Affected:
0 , < 4.6.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14701",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-17T21:20:31.643289Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-17T21:20:58.124Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Crafty Controller",
"vendor": "Arcadia Technology, LLC",
"versions": [
{
"lessThan": "4.6.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Thank you to [Rozza / rchar](https://gitlab.com/rchar) on GitLab for reporting this issue."
}
],
"descriptions": [
{
"lang": "en",
"value": "An input neutralization vulnerability in the Server MOTD component of Crafty Controller allows a remote, unauthenticated attacker to perform stored XSS via server MOTD modification."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-17T00:04:32.259Z",
"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"shortName": "GitLab"
},
"references": [
{
"name": "GitLab Issue #647",
"tags": [
"issue-tracking",
"permissions-required"
],
"url": "https://gitlab.com/crafty-controller/crafty-4/-/issues/647"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to version 4.6.2"
}
],
"title": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) in Crafty Controller"
}
},
"cveMetadata": {
"assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"assignerShortName": "GitLab",
"cveId": "CVE-2025-14701",
"datePublished": "2025-12-17T00:04:32.259Z",
"dateReserved": "2025-12-14T14:55:30.519Z",
"dateUpdated": "2025-12-17T21:20:58.124Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-5990 (GCVE-0-2025-5990)
Vulnerability from nvd – Published: 2025-06-15 18:01 – Updated: 2025-06-16 13:48
VLAI
Title
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Crafty Controller
Summary
An input neutralization vulnerability in the Server Name form and API Key form components of Crafty Controller allows a remote, authenticated attacker to perform stored XSS via malicious form input.
Severity
7.6 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://gitlab.com/crafty-controller/crafty-4/-/i… | issue-trackingpermissions-required |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Arcadia Technology, LLC | Crafty Controller |
Affected:
4.2.2 , ≤ 4.2.3
(semver)
Affected: 4.3.0 , ≤ 4.3.2 (semver) Affected: 4.4.0 , < 4.4.10 (semver) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-5990",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-16T13:48:12.494095Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-16T13:48:53.025Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Crafty Controller",
"vendor": "Arcadia Technology, LLC",
"versions": [
{
"lessThanOrEqual": "4.2.3",
"status": "affected",
"version": "4.2.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.3.2",
"status": "affected",
"version": "4.3.0",
"versionType": "semver"
},
{
"lessThan": "4.4.10",
"status": "affected",
"version": "4.4.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Thank you to [Kacper Leszczy\u0144ski / szotgan](https://gitlab.com/szotgan) on GitLab for reporting this issue."
}
],
"descriptions": [
{
"lang": "en",
"value": "An input neutralization vulnerability in the Server Name form and API Key form components of Crafty Controller allows a remote, authenticated attacker to perform stored XSS via malicious form input."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-15T18:01:09.667Z",
"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"shortName": "GitLab"
},
"references": [
{
"name": "GitLab Issue #567",
"tags": [
"issue-tracking",
"permissions-required"
],
"url": "https://gitlab.com/crafty-controller/crafty-4/-/issues/567"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to version 4.4.10"
}
],
"title": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) in Crafty Controller"
}
},
"cveMetadata": {
"assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"assignerShortName": "GitLab",
"cveId": "CVE-2025-5990",
"datePublished": "2025-06-15T18:01:09.667Z",
"dateReserved": "2025-06-11T06:02:33.232Z",
"dateUpdated": "2025-06-16T13:48:53.025Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-1064 (GCVE-0-2024-1064)
Vulnerability from nvd – Published: 2024-02-03 09:02 – Updated: 2024-08-29 15:04
VLAI
Title
Improper Neutralization of HTTP Headers for Scripting Syntax in Crafty Controller 4
Summary
A host header injection vulnerability in the HTTP handler component of Crafty Controller allows a remote, unauthenticated attacker to trigger a Denial of Service (DoS) condition via a modified host header
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-644 - Improper Neutralization of HTTP Headers for Scripting Syntax
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://gitlab.com/crafty-controller/crafty-4/-/i… | issue-tracking |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Arcadia Technology, LLC | Crafty Controller |
Affected:
4.0.0 , ≤ 4.2.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1064",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-06T17:03:37.645654Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:21:34.862Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:26:30.489Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "GitLab Issue #327",
"tags": [
"issue-tracking",
"x_transferred"
],
"url": "https://gitlab.com/crafty-controller/crafty-4/-/issues/327"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Crafty Controller",
"vendor": "Arcadia Technology, LLC",
"versions": [
{
"lessThanOrEqual": "4.2.2",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Thanks to [ebartz1](https://gitlab.com/ebartz1) on GitLab for initially reporting this issue"
}
],
"descriptions": [
{
"lang": "en",
"value": "A host header injection vulnerability in the HTTP handler component of Crafty Controller allows a remote, unauthenticated attacker to trigger a Denial of Service (DoS) condition via a modified host header"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-644",
"description": "CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-29T15:04:54.738Z",
"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"shortName": "GitLab"
},
"references": [
{
"name": "GitLab Issue #327",
"tags": [
"issue-tracking"
],
"url": "https://gitlab.com/crafty-controller/crafty-4/-/issues/327"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to Crafty Controller 4.2.3 or higher OR block requests to the Crafty Controller HTTP port"
}
],
"title": "Improper Neutralization of HTTP Headers for Scripting Syntax in Crafty Controller 4"
}
},
"cveMetadata": {
"assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"assignerShortName": "GitLab",
"cveId": "CVE-2024-1064",
"datePublished": "2024-02-03T09:02:20.539Z",
"dateReserved": "2024-01-30T09:30:40.948Z",
"dateUpdated": "2024-08-29T15:04:54.738Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-5652 (GCVE-0-2026-5652)
Vulnerability from cvelistv5 – Published: 2026-04-21 16:33 – Updated: 2026-04-21 17:22
VLAI
Title
Authorization Bypass Through User-Controlled Key in Crafty Controller
Summary
An insecure direct object reference vulnerability in the Users API component of Crafty Controller allows a remote, authenticated attacker to perform user modification actions via improper API permissions validation.
Severity
9 (Critical)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Arcadia Technology, LLC | Crafty Controller |
Affected:
0 , ≤ 4.10.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5652",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-21T17:21:48.540617Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T17:22:27.276Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://gitlab.com/crafty-controller/crafty-4/-/work_items/705"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Crafty Controller",
"vendor": "Arcadia Technology, LLC",
"versions": [
{
"lessThanOrEqual": "4.10.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Thank you to [Kacper Leszczy\u0144ski / szotgan](https://gitlab.com/szotgan) on GitLab for reporting this issue."
}
],
"descriptions": [
{
"lang": "en",
"value": "An insecure direct object reference vulnerability in the Users API component of Crafty Controller allows a remote, authenticated attacker to perform user modification actions via improper API permissions validation."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T16:33:56.878Z",
"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"shortName": "GitLab"
},
"references": [
{
"url": "https://gitlab.com/crafty-controller/crafty-4/-/work_items/705"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to version 4.10.3"
}
],
"title": "Authorization Bypass Through User-Controlled Key in Crafty Controller"
}
},
"cveMetadata": {
"assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"assignerShortName": "GitLab",
"cveId": "CVE-2026-5652",
"datePublished": "2026-04-21T16:33:56.878Z",
"dateReserved": "2026-04-06T05:03:53.661Z",
"dateUpdated": "2026-04-21T17:22:27.276Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0805 (GCVE-0-2026-0805)
Vulnerability from cvelistv5 – Published: 2026-01-30 06:04 – Updated: 2026-02-02 16:33
VLAI
Title
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Crafty Controller
Summary
An input neutralization vulnerability in the Backup Configuration component of Crafty Controller allows a remote, authenticated attacker to perform file tampering and remote code execution via path traversal.
Severity
8.2 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://gitlab.com/crafty-controller/crafty-4/-/i… | issue-trackingpermissions-required |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Arcadia Technology, LLC | Crafty Controller |
Affected:
4.5.0 , < 4.8.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0805",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-30T14:23:52.162136Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-02T16:33:11.255Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Crafty Controller",
"vendor": "Arcadia Technology, LLC",
"versions": [
{
"lessThan": "4.8.0",
"status": "affected",
"version": "4.5.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Thank you to [Rozza / rchar](https://gitlab.com/rchar) on GitLab for reporting this issue."
}
],
"descriptions": [
{
"lang": "en",
"value": "An input neutralization vulnerability in the Backup Configuration component of Crafty Controller allows a remote, authenticated attacker to perform file tampering and remote code execution via path traversal."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-30T06:04:15.330Z",
"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"shortName": "GitLab"
},
"references": [
{
"name": "GitLab Issue #650",
"tags": [
"issue-tracking",
"permissions-required"
],
"url": "https://gitlab.com/crafty-controller/crafty-4/-/issues/650"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to version 4.8.0"
}
],
"title": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) in Crafty Controller"
}
},
"cveMetadata": {
"assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"assignerShortName": "GitLab",
"cveId": "CVE-2026-0805",
"datePublished": "2026-01-30T06:04:15.330Z",
"dateReserved": "2026-01-09T10:40:55.812Z",
"dateUpdated": "2026-02-02T16:33:11.255Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0963 (GCVE-0-2026-0963)
Vulnerability from cvelistv5 – Published: 2026-01-30 06:04 – Updated: 2026-02-02 16:33
VLAI
Title
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Crafty Controller
Summary
An input neutralization vulnerability in the File Operations API Endpoint component of Crafty Controller allows a remote, authenticated attacker to perform file tampering and remote code execution via path traversal.
Severity
9.9 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://gitlab.com/crafty-controller/crafty-4/-/i… | issue-trackingpermissions-required |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Arcadia Technology, LLC | Crafty Controller |
Affected:
4.7.0 , < 4.8.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0963",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-30T14:24:06.892805Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-02T16:33:26.381Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Crafty Controller",
"vendor": "Arcadia Technology, LLC",
"versions": [
{
"lessThan": "4.8.0",
"status": "affected",
"version": "4.7.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Thank you to [Rozza / rchar](https://gitlab.com/rchar) on GitLab for reporting this issue."
}
],
"descriptions": [
{
"lang": "en",
"value": "An input neutralization vulnerability in the File Operations API Endpoint component of Crafty Controller allows a remote, authenticated attacker to perform file tampering and remote code execution via path traversal."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-30T06:04:05.503Z",
"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"shortName": "GitLab"
},
"references": [
{
"name": "GitLab Issue #660",
"tags": [
"issue-tracking",
"permissions-required"
],
"url": "https://gitlab.com/crafty-controller/crafty-4/-/issues/660"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to version 4.8.0"
}
],
"title": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) in Crafty Controller"
}
},
"cveMetadata": {
"assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"assignerShortName": "GitLab",
"cveId": "CVE-2026-0963",
"datePublished": "2026-01-30T06:04:05.503Z",
"dateReserved": "2026-01-14T20:14:16.821Z",
"dateUpdated": "2026-02-02T16:33:26.381Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14700 (GCVE-0-2025-14700)
Vulnerability from cvelistv5 – Published: 2025-12-17 00:04 – Updated: 2025-12-17 21:25
VLAI
Title
Improper Neutralization of Special Elements Used in a Template Engine in Crafty Controller
Summary
An input neutralization vulnerability in the Webhook Template component of Crafty Controller allows a remote, authenticated attacker to perform remote code execution via Server Side Template Injection.
Severity
9.9 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://gitlab.com/crafty-controller/crafty-4/-/i… | issue-trackingpermissions-required |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Arcadia Technology, LLC | Crafty Controller |
Affected:
4.6.1
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14700",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-17T21:24:39.127580Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-17T21:25:02.839Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Crafty Controller",
"vendor": "Arcadia Technology, LLC",
"versions": [
{
"status": "affected",
"version": "4.6.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Thank you to [Rozza / rchar](https://gitlab.com/rchar) on GitLab for reporting this issue."
}
],
"descriptions": [
{
"lang": "en",
"value": "An input neutralization vulnerability in the Webhook Template component of Crafty Controller allows a remote, authenticated attacker to perform remote code execution via Server Side Template Injection."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-17T00:04:37.049Z",
"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"shortName": "GitLab"
},
"references": [
{
"name": "GitLab Issue #646",
"tags": [
"issue-tracking",
"permissions-required"
],
"url": "https://gitlab.com/crafty-controller/crafty-4/-/issues/646"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to version 4.6.2"
}
],
"title": "Improper Neutralization of Special Elements Used in a Template Engine in Crafty Controller"
}
},
"cveMetadata": {
"assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"assignerShortName": "GitLab",
"cveId": "CVE-2025-14700",
"datePublished": "2025-12-17T00:04:37.049Z",
"dateReserved": "2025-12-14T14:48:04.696Z",
"dateUpdated": "2025-12-17T21:25:02.839Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14701 (GCVE-0-2025-14701)
Vulnerability from cvelistv5 – Published: 2025-12-17 00:04 – Updated: 2025-12-17 21:20
VLAI
Title
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Crafty Controller
Summary
An input neutralization vulnerability in the Server MOTD component of Crafty Controller allows a remote, unauthenticated attacker to perform stored XSS via server MOTD modification.
Severity
7.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://gitlab.com/crafty-controller/crafty-4/-/i… | issue-trackingpermissions-required |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Arcadia Technology, LLC | Crafty Controller |
Affected:
0 , < 4.6.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14701",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-17T21:20:31.643289Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-17T21:20:58.124Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Crafty Controller",
"vendor": "Arcadia Technology, LLC",
"versions": [
{
"lessThan": "4.6.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Thank you to [Rozza / rchar](https://gitlab.com/rchar) on GitLab for reporting this issue."
}
],
"descriptions": [
{
"lang": "en",
"value": "An input neutralization vulnerability in the Server MOTD component of Crafty Controller allows a remote, unauthenticated attacker to perform stored XSS via server MOTD modification."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-17T00:04:32.259Z",
"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"shortName": "GitLab"
},
"references": [
{
"name": "GitLab Issue #647",
"tags": [
"issue-tracking",
"permissions-required"
],
"url": "https://gitlab.com/crafty-controller/crafty-4/-/issues/647"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to version 4.6.2"
}
],
"title": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) in Crafty Controller"
}
},
"cveMetadata": {
"assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"assignerShortName": "GitLab",
"cveId": "CVE-2025-14701",
"datePublished": "2025-12-17T00:04:32.259Z",
"dateReserved": "2025-12-14T14:55:30.519Z",
"dateUpdated": "2025-12-17T21:20:58.124Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-5990 (GCVE-0-2025-5990)
Vulnerability from cvelistv5 – Published: 2025-06-15 18:01 – Updated: 2025-06-16 13:48
VLAI
Title
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Crafty Controller
Summary
An input neutralization vulnerability in the Server Name form and API Key form components of Crafty Controller allows a remote, authenticated attacker to perform stored XSS via malicious form input.
Severity
7.6 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://gitlab.com/crafty-controller/crafty-4/-/i… | issue-trackingpermissions-required |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Arcadia Technology, LLC | Crafty Controller |
Affected:
4.2.2 , ≤ 4.2.3
(semver)
Affected: 4.3.0 , ≤ 4.3.2 (semver) Affected: 4.4.0 , < 4.4.10 (semver) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-5990",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-16T13:48:12.494095Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-16T13:48:53.025Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Crafty Controller",
"vendor": "Arcadia Technology, LLC",
"versions": [
{
"lessThanOrEqual": "4.2.3",
"status": "affected",
"version": "4.2.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.3.2",
"status": "affected",
"version": "4.3.0",
"versionType": "semver"
},
{
"lessThan": "4.4.10",
"status": "affected",
"version": "4.4.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Thank you to [Kacper Leszczy\u0144ski / szotgan](https://gitlab.com/szotgan) on GitLab for reporting this issue."
}
],
"descriptions": [
{
"lang": "en",
"value": "An input neutralization vulnerability in the Server Name form and API Key form components of Crafty Controller allows a remote, authenticated attacker to perform stored XSS via malicious form input."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-15T18:01:09.667Z",
"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"shortName": "GitLab"
},
"references": [
{
"name": "GitLab Issue #567",
"tags": [
"issue-tracking",
"permissions-required"
],
"url": "https://gitlab.com/crafty-controller/crafty-4/-/issues/567"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to version 4.4.10"
}
],
"title": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) in Crafty Controller"
}
},
"cveMetadata": {
"assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"assignerShortName": "GitLab",
"cveId": "CVE-2025-5990",
"datePublished": "2025-06-15T18:01:09.667Z",
"dateReserved": "2025-06-11T06:02:33.232Z",
"dateUpdated": "2025-06-16T13:48:53.025Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-1064 (GCVE-0-2024-1064)
Vulnerability from cvelistv5 – Published: 2024-02-03 09:02 – Updated: 2024-08-29 15:04
VLAI
Title
Improper Neutralization of HTTP Headers for Scripting Syntax in Crafty Controller 4
Summary
A host header injection vulnerability in the HTTP handler component of Crafty Controller allows a remote, unauthenticated attacker to trigger a Denial of Service (DoS) condition via a modified host header
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-644 - Improper Neutralization of HTTP Headers for Scripting Syntax
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://gitlab.com/crafty-controller/crafty-4/-/i… | issue-tracking |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Arcadia Technology, LLC | Crafty Controller |
Affected:
4.0.0 , ≤ 4.2.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1064",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-06T17:03:37.645654Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:21:34.862Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:26:30.489Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "GitLab Issue #327",
"tags": [
"issue-tracking",
"x_transferred"
],
"url": "https://gitlab.com/crafty-controller/crafty-4/-/issues/327"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Crafty Controller",
"vendor": "Arcadia Technology, LLC",
"versions": [
{
"lessThanOrEqual": "4.2.2",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Thanks to [ebartz1](https://gitlab.com/ebartz1) on GitLab for initially reporting this issue"
}
],
"descriptions": [
{
"lang": "en",
"value": "A host header injection vulnerability in the HTTP handler component of Crafty Controller allows a remote, unauthenticated attacker to trigger a Denial of Service (DoS) condition via a modified host header"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-644",
"description": "CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-29T15:04:54.738Z",
"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"shortName": "GitLab"
},
"references": [
{
"name": "GitLab Issue #327",
"tags": [
"issue-tracking"
],
"url": "https://gitlab.com/crafty-controller/crafty-4/-/issues/327"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to Crafty Controller 4.2.3 or higher OR block requests to the Crafty Controller HTTP port"
}
],
"title": "Improper Neutralization of HTTP Headers for Scripting Syntax in Crafty Controller 4"
}
},
"cveMetadata": {
"assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"assignerShortName": "GitLab",
"cveId": "CVE-2024-1064",
"datePublished": "2024-02-03T09:02:20.539Z",
"dateReserved": "2024-01-30T09:30:40.948Z",
"dateUpdated": "2024-08-29T15:04:54.738Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}