CRITICAL🇵🇱 Wersja polska

CVE-2025-14700

CVSS 9.9v3.1pub. 2025-12-17upd. 2025-12-23

An input neutralization vulnerability in the Webhook Template component of Crafty Controller allows a remote, authenticated attacker to perform remote code execution via Server Side Template Injection.

🤖 AI Analysis
How it works

The Webhook Template component does not properly neutralize user-supplied input, leading to a Server Side Template Injection (SSTI) vulnerability (CWE-1336). An attacker can inject malicious template expressions into the Webhook Template field, which are then interpreted and executed on the server side. This allows an attacker to gain control over the server process and execute arbitrary system commands.

Impact

A remote authenticated attacker can execute arbitrary code on the server hosting Crafty Controller, which may result in complete system compromise, data theft, and lateral movement within the internal network.

Mitigation & patch

Apply patches available from the vendor according to the references (https://gitlab.com/crafty-controller/crafty-4/-/issues/646). Until the update is applied, restrict access to the Crafty Controller interface only to trusted users and monitor the activity of accounts with permissions to configure Webhook Template.

Who is affected

Craftycontrol Crafty Controller — versions indicated in the vendor's references

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Craftycontrol Crafty Controller

    APP
    Craftycontrol
    4.6.1
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2026-5652CRITICAL9.0PL ✓ten sam produkt

IDOR w Crafty Controller — nieautoryzowana modyfikacja kont użytkowników

CVE-2026-0963CRITICAL9.9PL ✓ten sam produkt

Path Traversal umożliwiający RCE w Crafty Controller (File Operations API)

CVE-2026-0805HIGH8.2ten sam produkt

An input neutralization vulnerability in the Backup Configuration component of Crafty Controller allows a remo...

CVE-2025-14701HIGH7.1ten sam produkt

An input neutralization vulnerability in the Server MOTD component of Crafty Controller allows a remote, unaut...

CVE-2025-5990HIGH7.6ten sam produkt

An input neutralization vulnerability in the Server Name form and API Key form components of Crafty Controller...