CVE-2025-14700
- Source
- https://cve.org/CVERecord?id=CVE-2025-14700
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-14700.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-14700
- Published
- 2025-12-17T00:04:37.049Z
- Modified
- 2026-03-10T14:47:09.278609Z
- Severity
-
- 9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
- Summary
- Improper Neutralization of Special Elements Used in a Template Engine in Crafty Controller
- Details
-
An input neutralization vulnerability in the Webhook Template component of Crafty Controller allows a remote, authenticated attacker to perform remote code execution via Server Side Template Injection.
- Database specific
{ "cwe_ids": [ "CWE-1336" ], "cna_assigner": "GitLab", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/14xxx/CVE-2025-14700.json" }- References
Affected packages
Git / gitlab.com/crafty-controller/crafty-4
Affected versions
4.*
4.0.0-alpha.3
v4.*
v4.0.0-alpha-3-hotfix.1
v4.0.0-alpha-3-hotfix.2
v4.0.0-alpha-3.5
v4.0.0-alpha.2
v4.0.0-beta
v4.0.0-beta-hotfix.1
v4.0.10-beta
v4.0.11-beta
v4.0.12-beta
v4.0.13-beta
v4.0.14-beta
v4.0.15-beta
v4.0.16
v4.0.18
v4.0.19
v4.0.2
v4.0.2-beta-hotfix.1
v4.0.20
v4.0.21
v4.0.22
v4.0.3-beta
v4.0.4-beta
v4.0.4-beta-hotfix2
v4.0.4-hotfix
v4.0.5-beta
v4.0.6-beta
v4.0.7-beta
v4.0.8-beta
v4.0.9-beta
v4.1.0
v4.1.1
v4.1.2
v4.1.3
v4.2.0
v4.2.1
v4.2.2
v4.2.3
v4.3.0
v4.3.1
v4.3.2
v4.4.0
v4.4.1
v4.4.10
v4.4.11
v4.4.2
v4.4.3
v4.4.4
v4.4.5
v4.4.6
v4.4.7
v4.4.8
v4.4.9
v4.5.0
v4.5.1
v4.5.2
v4.5.3
v4.5.4
v4.5.5
v4.6.1