Platform
other
Component
crafty-controller
Fixed in
4.8.0
CVE-2026-0963 describes a critical Path Traversal vulnerability discovered in the File Operations API Endpoint component of Crafty Controller. This flaw allows a remote, authenticated attacker to manipulate files and potentially execute arbitrary code on the system. The vulnerability impacts versions 4.7.0 through 4.8.0, and a fix is available in version 4.8.0.
The impact of CVE-2026-0963 is severe due to the potential for both file tampering and remote code execution. An attacker exploiting this vulnerability could read sensitive configuration files, modify critical system files, or even upload and execute malicious code. Successful exploitation could lead to complete system compromise, data exfiltration, and denial of service. The ability to execute arbitrary code elevates the risk significantly, allowing attackers to establish persistent access or pivot to other systems within the network. This vulnerability shares similarities with other path traversal exploits where attackers leverage improperly validated user input to access files outside of the intended directory.
CVE-2026-0963 was publicly disclosed on 2026-01-30. The vulnerability's criticality (CVSS 9.9) indicates a high probability of exploitation. As of this writing, no public proof-of-concept (POC) code has been released, but the ease of exploitation associated with path traversal vulnerabilities suggests that a POC is likely to emerge. It is not currently listed on CISA KEV, but its severity warrants close monitoring.
Exploit Status
EPSS
0.13% (32% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-0963 is to upgrade Crafty Controller to version 4.8.0 or later, which contains the fix. If immediate upgrading is not feasible, consider implementing temporary workarounds. Restrict access to the File Operations API Endpoint to only authorized users and implement strict input validation to prevent path traversal attempts. Consider deploying a Web Application Firewall (WAF) with rules to block requests containing suspicious path characters (e.g., '..', '/', '\'). Regularly monitor system logs for unusual file access patterns. After upgrading, confirm the fix by attempting a path traversal attack on the File Operations API Endpoint and verifying that access is denied.
Update Crafty Controller to version 4.8.0 or later. This version contains the fix for the path traversal vulnerability. The update will mitigate the risk of file tampering and remote code execution.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-0963 is a critical vulnerability allowing authenticated attackers to manipulate files and potentially execute code via path traversal in Crafty Controller's File Operations API Endpoint.
You are affected if you are using Crafty Controller versions 4.7.0 through 4.8.0 and have not upgraded to version 4.8.0 or later.
Upgrade Crafty Controller to version 4.8.0 or later. As a temporary workaround, restrict access to the API and implement strict input validation.
While no public exploits are currently known, the vulnerability's severity and ease of exploitation suggest a high likelihood of future exploitation.
Refer to the official Crafty Controller security advisory for detailed information and updates regarding CVE-2026-0963.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.