CVE 9.9 CRITICAL

Improper Neutralization of Special Elements Used in a Template Engine in Crafty Controller_CVE-2025-14700

December 16, 2025 invoker category_cve

9.9 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Description

An input neutralization vulnerability in the Webhook Template component of Crafty Controller allows a remote, authenticated attacker to perform remote code execution via Server Side Template Injection.

AI Analysis

Remote code execution via Server Side Template Injection in Crafty Controller Webhook Template component

Basic Information

ID CVE-2025-14700

Source GitLab

Published Dec 17, 2025 at 00:04

Affected Product

Vendor Arcadia Technology, LLC

Product Crafty Controller

Version 4.6.1

Affected Versions Arcadia Technology, LLC Crafty Controller 4.6.1

CWE Classification

CWE-1336

AI Assessment

AI Score 9.9 / 10

AI Severity Critical

Vendor Arcadia Technology, LLC

Product Crafty Controller

Version 4.6.1

References

gitlab.com /crafty-controller/crafty-4/-/issues/646

{
    "lastseen": "",
    "description": "An input neutralization vulnerability in the Webhook Template component of Crafty Controller allows a remote, authenticated attacker to perform remote code execution via Server Side Template Injection.",
    "published": "2025-12-17T00:04:37.049Z",
    "modified": "2025-12-17T00:04:37.049Z",
    "type": "cve",
    "title": "Improper Neutralization of Special Elements Used in a Template Engine in Crafty Controller",
    "source": "GitLab",
    "references": "https://gitlab.com/crafty-controller/crafty-4/-/issues/646",
    "id": "CVE-2025-14700",
    "bulletinFamily": "",
    "cwe": [
        "CWE-1336"
    ],
    "cvelist": null,
    "sourceData": "Arcadia Technology, LLC Crafty Controller 4.6.1",
    "sourceHref": "",
    "cvss": {
        "score": 9.9,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Crafty Controller",
    "version": "4.6.1",
    "vendor": "Arcadia Technology, LLC",
    "ai_description": "Remote code execution via Server Side Template Injection in Crafty Controller Webhook Template component",
    "ai_severity": "Critical",
    "ai_vendor": "Arcadia Technology, LLC",
    "ai_product": "Crafty Controller",
    "ai_version": "4.6.1",
    "ai_score": 9.9
}

💭 Join the Security Discussion ❌ Cancel Reply