Plattform
other
Komponente
crafty-controller
Behoben in
4.8.0
CVE-2026-0963 describes a critical Path Traversal vulnerability discovered in the File Operations API Endpoint component of Crafty Controller. This flaw allows a remote, authenticated attacker to manipulate files and potentially execute arbitrary code on the system. The vulnerability impacts versions 4.7.0 through 4.8.0, and a fix is available in version 4.8.0.
The Path Traversal vulnerability in Crafty Controller presents a significant security risk. An attacker, after gaining authentication, can leverage this flaw to navigate the file system beyond the intended boundaries. This allows them to read, modify, or even delete sensitive files, including configuration files, application code, and potentially database credentials. Successful exploitation could lead to complete system compromise, enabling the attacker to execute arbitrary commands with the privileges of the application user. The potential for remote code execution significantly expands the attack surface and increases the severity of the impact.
CVE-2026-0963 was publicly disclosed on 2026-01-30. Currently, there are no publicly available proof-of-concept exploits. The CVSS score of 9.9 (CRITICAL) indicates a high probability of exploitation if the vulnerability is exposed. It is advisable to prioritize remediation efforts due to the potential for severe consequences.
Organizations using Crafty Controller in environments where the File Operations API Endpoint is exposed to authenticated users are at risk. This includes deployments with custom integrations or applications that rely on this API. Legacy configurations with weak access controls are particularly vulnerable.
disclosure
Exploit-Status
EPSS
0.13% (32% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-0963 is to immediately upgrade Crafty Controller to version 4.8.0 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting access to the File Operations API Endpoint to trusted users only. Implement strict input validation and sanitization on all user-supplied data to prevent path manipulation. Consider deploying a Web Application Firewall (WAF) with rules to detect and block path traversal attempts. Regularly review file system permissions to ensure least privilege access.
Aktualisieren Sie Crafty Controller auf Version 4.8.0 oder höher. Diese Version enthält die Korrektur für die Path-Traversal-Schwachstelle. Das Update wird das Risiko von Dateimanipulation und Remote Code Execution mindern.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-0963 is a critical vulnerability allowing authenticated attackers to manipulate files and potentially execute code via path traversal in Crafty Controller's File Operations API Endpoint.
You are affected if you are using Crafty Controller versions 4.7.0 through 4.8.0 and have not upgraded to version 4.8.0 or later.
Upgrade Crafty Controller to version 4.8.0 or later. As a temporary workaround, restrict access to the API and implement strict input validation.
While no public exploits are currently known, the vulnerability's severity and ease of exploitation suggest a high likelihood of future exploitation.
Refer to the official Crafty Controller security advisory for detailed information and updates regarding CVE-2026-0963.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.