PT-2025-51794 · Unknown · Crafty Controller
Published
2025-12-17
·
Updated
2025-12-22
·
CVE-2025-14700
CVSS v3.1
9.9
Critical
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Crafty Controller version 4.6.1
Description
An input neutralization issue exists within the Webhook Template component of Crafty Controller. This allows a remote, authenticated attacker to execute code on the system through Server Side Template Injection (SSTI). SSTI occurs when user-supplied input is not properly sanitized before being used in a server-side template engine, potentially leading to arbitrary code execution. The affected component is the Webhook Template.
Recommendations
Restrict access to the Webhook Template component.
Monitor logs for suspicious activity.
Apply future patches as they become available.
Exploit
Fix
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Crafty Controller