cbcvebase.
CVE-2025-5990
published 2025-06-15

CVE-2025-5990: An input neutralization vulnerability in the Server Name form and API Key form components of Crafty Controller allows a remote, authenticated attacker to…

PriorityP427medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.21%
11.5th percentile
An input neutralization vulnerability in the Server Name form and API Key form components of Crafty Controller allows a remote, authenticated attacker to perform stored XSS via malicious form input.

Affected

7 ranges
VendorProductVersion rangeFixed in
arcadia_technology_llccrafty_controller4.2.2 – 4.2.3
arcadia_technology_llccrafty_controller4.3.0 – 4.3.2
arcadia_technology_llccrafty_controller>= 4.4.0 < 4.4.104.4.10
craftycontrolcrafty_controller
craftycontrolcrafty_controller>= 4.3.0 < 4.3.24.3.2
craftycontrolcrafty_controller>= 4.4.0 < 4.4.104.4.10
gitlabcrafty_controller
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.