CVE-2026-0963
published 2026-01-30CVE-2026-0963: An input neutralization vulnerability in the File Operations API Endpoint component of Crafty Controller allows a remote, authenticated attacker to perform…
PriorityP263high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.68%
47.8th percentile
An input neutralization vulnerability in the File Operations API Endpoint component of Crafty Controller allows a remote, authenticated attacker to perform file tampering and remote code execution via path traversal.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| arcadia_technology_llc | crafty_controller | >= 4.7.0 < 4.8.0 | 4.8.0 |
| craftycontrol | crafty_controller | — | — |
| gitlab | crafty_controller | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability exists in the File Operations API Endpoint component of Crafty Controller; monitor for path traversal sequences (e.g., '../') in API requests targeting file operation endpoints ↗
- →Only authenticated remote attackers can exploit this; correlate anomalous file operation API calls with authenticated sessions on Crafty Controller instances running versions >=4.7.0 and <4.8.0 ↗
- ·Exploitation requires an authenticated session; unauthenticated attackers cannot directly trigger the path traversal. Scope detection to authenticated API activity. ↗
- ·Only Crafty Controller versions >=4.7.0 and <4.8.0 are affected; version 4.8.0 contains the fix and should not be flagged. ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8phm-9c2m-9hpq: An input neutralization vulnerability in the File Operations API Endpoint component of Crafty Controller allows a remote, authenticated attacker to pe
ghsa_unreviewed·2026-01-30
CVE-2026-0963 [CRITICAL] CWE-22 GHSA-8phm-9c2m-9hpq: An input neutralization vulnerability in the File Operations API Endpoint component of Crafty Controller allows a remote, authenticated attacker to pe
An input neutralization vulnerability in the File Operations API Endpoint component of Crafty Controller allows a remote, authenticated attacker to perform file tampering and remote code execution via path traversal.
GitLab
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Crafty Controller
vendor_gitlab·2026-01-30·CVSS 8.8
CVE-2026-0963 [HIGH] CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Crafty Controller
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Crafty Controller
An input neutralization vulnerability in the File Operations API Endpoint component of Crafty Controller allows a remote, authenticated attacker to perform file tampering and remote code execution via path traversal.
Affected products: Crafty Controller
Affected versions: >=4.7.0, <4.8.0 (affected)
Solution: Upgrade to version 4.8.0
Credit: Thank you to [Rozza / rchar](https://gitlab.com/rchar) on GitLab for reporting this issue.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-01-30
Published