CVE-2025-5990

Name of the Vulnerable Software and Affected Versions Crafty Controller versions 4.2.2 through 4.2.3 Crafty Controller versions 4.3.0 through 4.3.2 Crafty Controller versions 4.4.0 through 4.4.9

Description An input neutralization vulnerability in the Server Name form and API Key form components of Crafty Controller allows a remote, authenticated attacker to perform stored XSS via malicious form input. This issue is related to improper neutralization of input during web page generation, also known as cross-site scripting.

Recommendations For Crafty Controller versions 4.2.2 through 4.2.3, update to a version outside of this range to mitigate the risk. For Crafty Controller versions 4.3.0 through 4.3.2, update to a version outside of this range to mitigate the risk. For Crafty Controller versions 4.4.0 through 4.4.9, update to version 4.4.10 or later to mitigate the risk. As a temporary workaround, consider restricting input to the Server Name form and API Key form components to minimize the risk of exploitation.