CVE-2025-14700
Improper Neutralization of Special Elements Used in a Template Engine in Crafty Controller
In short
A flaw in Crafty Controller's webhook feature lets authenticated users inject harmful code through templates, allowing them to execute commands on the server remotely.
Technical detail
CWE-1336 vulnerability in the Webhook Template component permits Server Side Template Injection (SSTI) when user-supplied input is not properly neutralized before template processing. An authenticated attacker can inject malicious template directives to achieve remote code execution on the affected system.
Summary generated and translated by AI from the official description.
An input neutralization vulnerability in the Webhook Template component of Crafty Controller allows a remote, authenticated attacker to perform remote code execution via Server Side Template Injection.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Affected products
Arcadia Technology, LLC · Crafty Controllerpublic PoCs found — 2
githubgithub.com/Nosiume/CVE-2025-14700-poc★ 1githubgithub.com/secdongle/POC_CVE-2025-14700★ 0⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →