cbcvebase.
CVE-2025-14700
published 2025-12-17

CVE-2025-14700: An input neutralization vulnerability in the Webhook Template component of Crafty Controller allows a remote, authenticated attacker to perform remote code…

PriorityP273critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EPSS
6.00%
92.4th percentile
An input neutralization vulnerability in the Webhook Template component of Crafty Controller allows a remote, authenticated attacker to perform remote code execution via Server Side Template Injection.

Affected

3 ranges
VendorProductVersion rangeFixed in
arcadia_technology_llccrafty_controller
craftycontrolcrafty_controller
gitlabcrafty_controller

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability is in the Webhook Template component of Crafty Controller — monitor for Server Side Template Injection (SSTI) payloads submitted to webhook template fields by authenticated users
  • Only Crafty Controller version 4.6.1 is confirmed affected; presence of this version in the environment indicates exposure to CVE-2025-14700
  • Upgrade to Crafty Controller 4.6.2 remediates the vulnerability; systems still running 4.6.1 should be treated as unpatched and at risk
  • ·Exploitation requires the attacker to be authenticated — unauthenticated remote exploitation is not indicated by available sources
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.