CRITICAL🇵🇱 Wersja polska

CVE-2026-0963

CVSS 9.9v3.1pub. 2026-01-30upd. 2026-02-26

An input neutralization vulnerability in the File Operations API Endpoint component of Crafty Controller allows a remote, authenticated attacker to perform file tampering and remote code execution via path traversal.

🤖 AI Analysis
How it works

The File Operations API Endpoint component does not properly sanitize input data containing path traversal sequences (e.g., '../'). An attacker with only basic authentication can use a specially crafted network request to escape the allowed directory and gain access to arbitrary system files. By modifying or tampering with files, it is possible to ultimately achieve remote code execution (RCE) on the server hosting the application.

Impact

An attacker can read, modify, or overwrite any files accessible to the application process, which ultimately leads to complete server takeover through remote code execution.

Mitigation & patch

Security patches provided by the vendor should be applied according to references (https://gitlab.com/crafty-controller/crafty-4/-/issues/660). Until patches are implemented, it is recommended to restrict access to the API exclusively to trusted, authenticated users and to monitor logs for suspicious requests to File Operations endpoints.

Who is affected

Craftycontrol Crafty Controller — versions indicated in vendor references

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
  • Craftycontrol Crafty Controller

    APP
    Craftycontrol
    4.7.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEPath Traversal
CWE
References

Related vulnerabilities

CVE-2026-5652CRITICAL9.0PL ✓ten sam produkt

IDOR w Crafty Controller — nieautoryzowana modyfikacja kont użytkowników

CVE-2025-14700CRITICAL9.9PL ✓ten sam produkt

RCE przez Server Side Template Injection w Crafty Controller (Webhook Template)

CVE-2026-0805HIGH8.2ten sam produkt

An input neutralization vulnerability in the Backup Configuration component of Crafty Controller allows a remo...

CVE-2025-14701HIGH7.1ten sam produkt

An input neutralization vulnerability in the Server MOTD component of Crafty Controller allows a remote, unaut...

CVE-2025-5990HIGH7.6ten sam produkt

An input neutralization vulnerability in the Server Name form and API Key form components of Crafty Controller...