Description
An input neutralization vulnerability in the Backup Configuration component of Crafty Controller allows a remote, authenticated attacker to perform file tampering and remote code execution via path traversal.
Published: 2026-01-30
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

An input neutralization flaw in Crafty Controller's Backup Configuration component permits a remote authenticated attacker to execute arbitrary code by exploiting path traversal to tamper with files, leading to remote code execution and file integrity compromise.

Affected Systems

The vulnerability affects Arcadia Technology, LLC’s Crafty Controller application; the CVE does not specify which releases are impacted, so all versions running the vulnerable Backup Configuration component are potentially susceptible.

Risk and Exploitability

The CVSS score of 8.2 signals high severity, but the EPSS score of less than 1% indicates a low likelihood of exploitation at present; however, because the flaw requires authentication, users with privileged access pose a significant risk, and the vulnerability is not currently listed in the CISA KEV catalog.

Generated by OpenCVE AI on April 18, 2026 at 01:13 UTC.

Remediation

Vendor Solution

Upgrade to version 4.8.0

OpenCVE Recommended Actions

  • Apply the vendor-provided patch to reach version 4.8.0.
  • Limit the privileges of users who can access the Backup Configuration component to the minimal set necessary; consider removing administrative access for non-essential accounts.
  • Reconfigure the backup directory to enforce strict path restrictions, ensuring that files cannot be written outside the designated directory until the patch is applied.

Generated by OpenCVE AI on April 18, 2026 at 01:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Craftycontrol
Craftycontrol crafty Controller
CPEs cpe:2.3:a:craftycontrol:crafty_controller:*:*:*:*:*:*:*:*
Vendors & Products Craftycontrol
Craftycontrol crafty Controller

Tue, 03 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Arcadia Technology
Arcadia Technology crafty Controller
Vendors & Products Arcadia Technology
Arcadia Technology crafty Controller

Mon, 02 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 30 Jan 2026 06:30:00 +0000

Type Values Removed Values Added
Description An input neutralization vulnerability in the Backup Configuration component of Crafty Controller allows a remote, authenticated attacker to perform file tampering and remote code execution via path traversal.
Title Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Crafty Controller
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N'}

Subscriptions

Arcadia Technology Crafty Controller
Craftycontrol Crafty Controller
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-02-02T16:33:11.255Z

Reserved: 2026-01-09T10:40:55.812Z

Link: CVE-2026-0805

cve-icon Vulnrichment

Updated: 2026-01-30T14:23:55.487Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-30T07:16:14.917

Modified: 2026-02-26T19:57:06.950

Link: CVE-2026-0805

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T01:15:05Z

Weaknesses