cbcvebase.
CVE-2026-0963
published 2026-01-30

CVE-2026-0963: An input neutralization vulnerability in the File Operations API Endpoint component of Crafty Controller allows a remote, authenticated attacker to perform…

PriorityP263high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.68%
47.8th percentile
An input neutralization vulnerability in the File Operations API Endpoint component of Crafty Controller allows a remote, authenticated attacker to perform file tampering and remote code execution via path traversal.

Affected

3 ranges
VendorProductVersion rangeFixed in
arcadia_technology_llccrafty_controller>= 4.7.0 < 4.8.04.8.0
craftycontrolcrafty_controller
gitlabcrafty_controller

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability exists in the File Operations API Endpoint component of Crafty Controller; monitor for path traversal sequences (e.g., '../') in API requests targeting file operation endpoints
  • Only authenticated remote attackers can exploit this; correlate anomalous file operation API calls with authenticated sessions on Crafty Controller instances running versions >=4.7.0 and <4.8.0
  • ·Exploitation requires an authenticated session; unauthenticated attackers cannot directly trigger the path traversal. Scope detection to authenticated API activity.
  • ·Only Crafty Controller versions >=4.7.0 and <4.8.0 are affected; version 4.8.0 contains the fix and should not be flagged.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.