CVE-2025-5990

Description

An input neutralization vulnerability in the Server Name form and API Key form components of Crafty Controller allows a remote, authenticated attacker to perform stored XSS via malicious form input.

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

Low

Availability

None

Affected products

Arcadia Technology, LLC / Crafty Controller4.2.2 – 4.2.3
Arcadia Technology, LLC / Crafty Controller4.3.0 – 4.3.2
Arcadia Technology, LLC / Crafty Controller4.4.0 – 4.4.10

References

MISChttps://gitlab.com/crafty-controller/crafty-4/-/issues/567