cbcvebase.
CVE-2026-0805
published 2026-01-30

CVE-2026-0805: An input neutralization vulnerability in the Backup Configuration component of Crafty Controller allows a remote, authenticated attacker to perform file…

PriorityP261high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.60%
44.2th percentile
An input neutralization vulnerability in the Backup Configuration component of Crafty Controller allows a remote, authenticated attacker to perform file tampering and remote code execution via path traversal.

Affected

3 ranges
VendorProductVersion rangeFixed in
arcadia_technology_llccrafty_controller>= 4.5.0 < 4.8.04.8.0
craftycontrolcrafty_controller>= 4.5.0 < 4.8.04.8.0
gitlabcrafty_controller

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability exists in the Backup Configuration component of Crafty Controller; monitor for path traversal sequences in backup configuration requests (e.g., '../' or URL-encoded equivalents) submitted by authenticated users
  • Target affected Crafty Controller versions >=4.5.0 and <4.8.0; presence of these versions in the environment indicates exposure to this path traversal RCE vulnerability
  • ·Exploitation requires the attacker to be remote AND authenticated; unauthenticated access alone is insufficient to trigger this vulnerability
  • ·The vulnerability is specifically scoped to the Backup Configuration component, not the broader Crafty Controller attack surface
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.