MidnightBSD

Advisories for craftycontrol

CVE-2024-1064

A host header injection vulnerability in the HTTP handler component of Crafty Controller allows a remote, unauthenticated attacker to trigger a Denial of Service (DoS) condition via a modified host header

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6
cve@gitlab.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
craftycontrol crafty_controller *
CVE-2025-14700

An input neutralization vulnerability in the Webhook Template component of Crafty Controller allows a remote, authenticated attacker to perform remote code execution via Server Side Template Injection.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@gitlab.com 9.9 CRITICAL CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H 3.1 6.0

Products Affected

Vendor Product Version
craftycontrol crafty_controller 4.6.1
CVE-2025-14701

An input neutralization vulnerability in the Server MOTD component of Crafty Controller allows a remote, unauthenticated attacker to perform stored XSS via server MOTD modification.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@gitlab.com 7.1 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N 2.8 4.2

Products Affected

Vendor Product Version
craftycontrol crafty_controller *
CVE-2025-5990

An input neutralization vulnerability in the Server Name form and API Key form components of Crafty Controller allows a remote, authenticated attacker to perform stored XSS via malicious form input.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@gitlab.com 7.6 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N 2.3 4.7

Products Affected

Vendor Product Version
craftycontrol crafty_controller *
craftycontrol crafty_controller 4.2.0
CVE-2026-0805

An input neutralization vulnerability in the Backup Configuration component of Crafty Controller allows a remote, authenticated attacker to perform file tampering and remote code execution via path traversal.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@gitlab.com 8.2 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N 1.8 5.8

Products Affected

Vendor Product Version
craftycontrol crafty_controller *
CVE-2026-0963

An input neutralization vulnerability in the File Operations API Endpoint component of Crafty Controller allows a remote, authenticated attacker to perform file tampering and remote code execution via path traversal.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@gitlab.com 9.9 CRITICAL CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L 3.1 6.0

Products Affected

Vendor Product Version
craftycontrol crafty_controller 4.7.0
CVE-2026-5652

An insecure direct object reference vulnerability in the Users API component of Crafty Controller allows a remote, authenticated attacker to perform user modification actions via improper API permissions validation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@gitlab.com 9.0 CRITICAL CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L 2.3 6.0

Products Affected

Vendor Product Version
craftycontrol crafty_controller *