CVE-2026-0963

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-0963

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-0963.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-0963

Published

2026-01-30T06:04:05.503Z

Modified

2026-02-02T19:32:59.474876Z

Severity

9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L CVSS Calculator

Summary

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Crafty Controller

Details

An input neutralization vulnerability in the File Operations API Endpoint component of Crafty Controller allows a remote, authenticated attacker to perform file tampering and remote code execution via path traversal.

Database specific

{
    "cwe_ids": [
        "CWE-22"
    ],
    "cna_assigner": "GitLab",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/0xxx/CVE-2026-0963.json"
}

References

Affected packages

Git / gitlab.com/crafty-controller/crafty-4

Affected ranges

Type

GIT

Repo

https://gitlab.com/crafty-controller/crafty-4

Events

Introduced

5e66a760e42b4ca105ff2ee24319106ba0a1046f

Fixed

1a7bb702b693991159a540bc22fe9b17dd320bd2

Database specific

{
    "versions": [
        {
            "introduced": "4.7.0"
        },
        {
            "fixed": "4.8.0"
        }
    ]
}

Affected versions

v4.*

v4.7.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-0963.json"