CVE-2026-1770 | THREATINT

Description

Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via Groovy Sandbox Bypass. By inserting malicious Groovy elements, an attacker may bypass sandbox restrictions and obtain RCE (Remote Code Execution).

PUBLISHED Reserved 2026-02-02 | Published 2026-02-02 | Updated 2026-02-02 | Assigner crafter

MEDIUM: 4.5CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/AU:N

Problem types

CWE-913 Improper Control of Dynamically-Managed Code Resources

Product status

Default status

unaffected

4.0.0 (semver) before 4.5.0

affected

Credits

Matei "Mal" Badanoiu reporter

References

docs.craftercms.org/current/security/advisory.html

cve.org (CVE-2026-1770)

nvd.nist.gov (CVE-2026-1770)

Download JSON