What is the CVSS score of CVE-2026-0963?

CVE-2026-0963 has a CVSS 3.1 base score of 9.9 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L. EPSS exploitation probability: 0.1%.

Which versions of Crafty Controller are affected by CVE-2026-0963?

A critical vulnerability in Crafty Controller allows authenticated users to execute arbitrary code and modify files on affected systems, potentially leading to complete system compromise.

How to fix or mitigate CVE-2026-0963?

Within 24 hours: Identify all Crafty Controller instances in your environment and document which systems have internet or untrusted network access. Within 7 days: Implement network segmentation to restrict access to the File Operations API endpoint and enforce strict access controls on authenticated accounts. Within 30 days: Monitor vendor communications for patch availability and develop a deployment plan; evaluate alternative solutions if patches remain unavailable.

Crafty Controller CVE-2026-0963

CRITICAL

Path Traversal (CWE-22)

2026-01-30 cve@gitlab.com

RCE Path Traversal Crafty Controller

9.9

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

9.9 CRITICAL

AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

Low

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:00 vuln.today

CVE Published

Jan 30, 2026 - 07:16 nvd

CRITICAL 9.9

DescriptionCVE.org

An input neutralization vulnerability in the File Operations API Endpoint component of Crafty Controller allows a remote, authenticated attacker to perform file tampering and remote code execution via path traversal.

AnalysisAI

Path traversal in Crafty Controller game server management allows authenticated attackers to read/write files outside the intended directory. CVSS 9.9 with scope change.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Authenticate to Crafty Controller

Delivery

Craft path traversal payload in File Operations API

Exploit

Bypass input neutralization checks

Execution

Write malicious file to executable location

Impact

Achieve remote code execution