Description
Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via Groovy Sandbox Bypass. By inserting malicious Groovy elements, an attacker may bypass sandbox restrictions and obtain RCE (Remote Code Execution).
Published: 2026-02-02
Score: 4.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Enable Whitelist
AI Analysis

Impact

An authentication‑controlled flaw in Crafter Studio allows the injection of malicious Groovy code that bypasses the sandbox, enabling the attacker to run arbitrary operating‑system commands. The weakness maps to CWE‑913, Improper Control of Dynamically‑Managed Code Resources. As a result, a compromised developer account can compromise the entire system, exposing all confidential data and potentially disrupting availability.

Affected Systems

CrafterCMS, specifically the CrafterCMS Studio module. No explicit version range is listed, so all releases containing the affected studio component are potentially impacted.

Risk and Exploitability

The CVSS score of 4.5 describes moderate severity, and the EPSS score of less than 1% indicates a low probability of widespread exploitation. The flaw does not appear on the KEV catalog. Exploitation requires valid developer credentials and the ability to insert Groovy elements, so the vector is limited to authenticated insiders or attackers who have gained such access. If successful, the attacker would gain full control over the underlying operating system.

Generated by OpenCVE AI on April 18, 2026 at 00:38 UTC.

Remediation

Vendor Solution

Enable the Groovy Sandbox whitelist mode:  https://craftercms.com/docs/current/reference/modules/studio.html#enabling-the-sandbox-whitelist

OpenCVE Recommended Actions

  • Enable Groovy Sandbox whitelist mode as documented in the CrafterCMS Studio configuration guide.
  • Restrict developer and plugin installation privileges to a small, trusted group and enforce least‑privilege access controls.
  • Implement monitoring and logging for Groovy script changes and execute‑time events to detect anomalies.

Generated by OpenCVE AI on April 18, 2026 at 00:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gj28-gw7w-3pxc Crafter CMS has Improper Control of Dynamically-Managed Code Resources
History

Wed, 04 Feb 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Craftercms
Craftercms crafter Cms
Craftercms craftercms
Vendors & Products Craftercms
Craftercms crafter Cms
Craftercms craftercms

Mon, 02 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Feb 2026 16:30:00 +0000

Type Values Removed Values Added
Description Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via Groovy Sandbox Bypass. By inserting malicious Groovy elements, an attacker may bypass sandbox restrictions and obtain RCE (Remote Code Execution).
Title Improper Control of Dynamically-Managed Code Resources in Crafter Studio
Weaknesses CWE-913
References
Metrics cvssV4_0

{'score': 4.5, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/AU:N'}

Subscriptions

Craftercms Crafter Cms Craftercms
cve-icon MITRE

Status: PUBLISHED

Assigner: crafter

Published:

Updated: 2026-02-02T16:38:59.620Z

Reserved: 2026-02-02T16:14:38.698Z

Link: CVE-2026-1770

cve-icon Vulnrichment

Updated: 2026-02-02T16:38:52.452Z

cve-icon NVD

Status : Deferred

Published: 2026-02-02T17:16:17.643

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1770

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T00:45:32Z

Weaknesses