GHSA-gj28-gw7w-3pxc

Suggest an improvement
Source
https://github.com/advisories/GHSA-gj28-gw7w-3pxc
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-gj28-gw7w-3pxc/GHSA-gj28-gw7w-3pxc.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-gj28-gw7w-3pxc
Aliases
  • CVE-2026-1770
Published
2026-02-02T18:31:33Z
Modified
2026-02-03T17:53:08.386476Z
Severity
  • 4.5 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:H/VA:H/SC:H/SI:H/SA:H/E:U CVSS Calculator
Summary
Crafter CMS has Improper Control of Dynamically-Managed Code Resources
Details

Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via Groovy Sandbox Bypass. By inserting malicious Groovy elements, an attacker may bypass sandbox restrictions and obtain RCE (Remote Code Execution).

Database specific 
{
    "nvd_published_at": "2026-02-02T17:16:17Z",
    "cwe_ids": [
        "CWE-913"
    ],
    "github_reviewed_at": "2026-02-02T22:36:58Z",
    "severity": "MODERATE",
    "github_reviewed": true
}
References

Affected packages

Maven / org.craftercms:craftercms

Package

Name
org.craftercms:craftercms
View open source insights on deps.dev
Purl
pkg:maven/org.craftercms/craftercms

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.0.0
Fixed
4.5.0

Affected versions

4.*
4.0.0
4.0.1
4.0.2
4.0.3
4.0.4
4.0.5
4.0.6
4.1.0
4.1.1
4.1.4
4.1.5
4.1.6
4.1.7
4.1.9
4.2.0
4.2.1
4.2.2
4.3.0
4.3.1
4.3.2

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-gj28-gw7w-3pxc/GHSA-gj28-gw7w-3pxc.json"