Platform
other
Component
crafty-controller
Fixed in
4.8.0
CVE-2026-0805 identifies a Path Traversal vulnerability within the Backup Configuration component of Crafty Controller. This flaw allows a remote, authenticated attacker to potentially tamper with files and even achieve remote code execution. The vulnerability impacts versions 4.5.0 through 4.8.0 of Crafty Controller, and a fix is available in version 4.8.0.
The Path Traversal vulnerability in Crafty Controller presents a significant security risk. An attacker, after gaining authenticated access, can manipulate file paths to access sensitive files outside of the intended directory. This can lead to the disclosure of configuration files, credentials, or other critical data. More concerningly, successful exploitation could allow an attacker to execute arbitrary code on the system, effectively compromising the entire Crafty Controller instance and potentially leading to broader network compromise. The ability to execute code opens the door to data theft, system takeover, and denial-of-service attacks.
CVE-2026-0805 was publicly disclosed on 2026-01-30. Currently, there are no publicly available proof-of-concept exploits. The EPSS score is pending evaluation. It is recommended to monitor security advisories and threat intelligence feeds for any indications of active exploitation.
Exploit Status
EPSS
0.05% (14% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-0805 is to upgrade Crafty Controller to version 4.8.0 or later, which contains the fix. If an immediate upgrade is not feasible, consider implementing temporary workarounds. Restrict access to the Backup Configuration component to only authorized users. Implement strict input validation on any user-supplied data used in file paths. Consider using a Web Application Firewall (WAF) with path traversal protection rules to block malicious requests. After upgrading, confirm the vulnerability is resolved by attempting to access files outside the intended directory and verifying that access is denied.
Actualice Crafty Controller a la versión 4.8.0 o superior. Esta versión contiene la corrección para la vulnerabilidad de path traversal. La actualización mitigará el riesgo de manipulación de archivos y ejecución remota de código.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-0805 is a Path Traversal vulnerability in Crafty Controller versions 4.5.0–4.8.0, allowing attackers to access files outside the intended directory and potentially execute code.
If you are using Crafty Controller versions 4.5.0 through 4.8.0, you are potentially affected by this vulnerability. Upgrade to version 4.8.0 to mitigate the risk.
The recommended fix is to upgrade Crafty Controller to version 4.8.0 or later. If immediate upgrade isn't possible, implement temporary workarounds like restricting access and input validation.
Currently, there are no publicly known active exploitation campaigns for CVE-2026-0805, but it's crucial to apply the patch promptly.
Refer to the official Crafty Controller security advisory for detailed information and updates regarding CVE-2026-0805.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.