CVE-2025-5990
published 2025-06-15CVE-2025-5990: An input neutralization vulnerability in the Server Name form and API Key form components of Crafty Controller allows a remote, authenticated attacker to…
PriorityP427medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.21%
11.5th percentile
An input neutralization vulnerability in the Server Name form and API Key form components of Crafty Controller allows a remote, authenticated attacker to perform stored XSS via malicious form input.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| arcadia_technology_llc | crafty_controller | 4.2.2 – 4.2.3 | — |
| arcadia_technology_llc | crafty_controller | 4.3.0 – 4.3.2 | — |
| arcadia_technology_llc | crafty_controller | >= 4.4.0 < 4.4.10 | 4.4.10 |
| craftycontrol | crafty_controller | — | — |
| craftycontrol | crafty_controller | >= 4.3.0 < 4.3.2 | 4.3.2 |
| craftycontrol | crafty_controller | >= 4.4.0 < 4.4.10 | 4.4.10 |
| gitlab | crafty_controller | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GitLab
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Crafty Controller
vendor_gitlab·2025-06-15·CVSS 5.4
CVE-2025-5990 [MEDIUM] CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Crafty Controller
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Crafty Controller
An input neutralization vulnerability in the Server Name form and API Key form components of Crafty Controller allows a remote, authenticated attacker to perform stored XSS via malicious form input.
Affected products: Crafty Controller
Affected versions: 4.2.2 (affected), 4.3.0 (affected), >=4.4.0, <4.4.10 (affected)
Solution: Upgrade to version 4.4.10
Credit: Thank you to [Kacper Leszczyński / szotgan](https://gitlab.com/szotgan) on GitLab for reporting this issue.
GHSA
GHSA-vjmm-35qw-59gh: An input neutralization vulnerability in the Server Name form and API Key form components of Crafty Controller allows a remote, authenticated attacker
ghsa_unreviewed·2025-06-15
CVE-2025-5990 [HIGH] CWE-79 GHSA-vjmm-35qw-59gh: An input neutralization vulnerability in the Server Name form and API Key form components of Crafty Controller allows a remote, authenticated attacker
An input neutralization vulnerability in the Server Name form and API Key form components of Crafty Controller allows a remote, authenticated attacker to perform stored XSS via malicious form input.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-06-15
Published