Description
An input neutralization vulnerability in the File Operations API Endpoint component of Crafty Controller allows a remote, authenticated attacker to perform file tampering and remote code execution via path traversal.
Published: 2026-01-30
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an input neutralization flaw in the File Operations API endpoint of Crafty Controller that permits a remote, authenticated attacker to manipulate file paths. The flaw allows the attacker to perform path traversal, leading to file tampering and potentially remote code execution. This is a classic directory traversal weakness identified as CWE‑22 and provides an attacker with the ability to read, write, or execute files beyond the intended directory.

Affected Systems

Arcadia Technology, LLC’s Crafty Controller version 4.7.0 is affected. Users running this version or any earlier release that has not applied the vendor‑published fix are vulnerable. No other affected versions were disclosed in the current data.

Risk and Exploitability

This flaw carries a CVSS score of 9.9, indicating critical severity. The EPSS score is reported as less than 1 %, suggesting a low probability of exploitation at present, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector requires a remote authenticated connection to the File Operations API endpoint. Once authenticated, an attacker can supply crafted file path input that traverses outside the intended directory, enabling tampering with system files and execution of arbitrary code on the host.

Generated by OpenCVE AI on April 18, 2026 at 01:13 UTC.

Remediation

Vendor Solution

Upgrade to version 4.8.0

OpenCVE Recommended Actions

  • Update Crafty Controller to version 4.8.0 or later, as released by Arcadia Technology.
  • Restrict access to the File Operations API endpoint to trusted users and networks, ensuring only authorized accounts can invoke it.
  • Implement input validation on file path parameters, rejecting any attempts to traverse directories (for example by disallowing ".." sequences or absolute path references).

Generated by OpenCVE AI on April 18, 2026 at 01:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Craftycontrol
Craftycontrol crafty Controller
CPEs cpe:2.3:a:craftycontrol:crafty_controller:4.7.0:*:*:*:*:*:*:*
Vendors & Products Craftycontrol
Craftycontrol crafty Controller

Tue, 03 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Arcadia Technology
Arcadia Technology crafty Controller
Vendors & Products Arcadia Technology
Arcadia Technology crafty Controller

Mon, 02 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 30 Jan 2026 06:30:00 +0000

Type Values Removed Values Added
Description An input neutralization vulnerability in the File Operations API Endpoint component of Crafty Controller allows a remote, authenticated attacker to perform file tampering and remote code execution via path traversal.
Title Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Crafty Controller
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L'}

Subscriptions

Arcadia Technology Crafty Controller
Craftycontrol Crafty Controller
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-02-02T16:33:26.381Z

Reserved: 2026-01-14T20:14:16.821Z

Link: CVE-2026-0963

cve-icon Vulnrichment

Updated: 2026-01-30T14:24:10.232Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-30T07:16:15.173

Modified: 2026-02-26T19:54:36.460

Link: CVE-2026-0963

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T01:15:05Z

Weaknesses