What is the CVSS score of EUVD-2025-18347?

EUVD-2025-18347 has a CVSS 3.1 base score of 7.6 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N. EPSS exploitation probability: 0.1%.

Which versions of Crafty Controller are affected by EUVD-2025-18347?

Crafty Controller contains a stored cross-site scripting vulnerability (CVE-2025-5990) that allows authenticated users to inject malicious scripts through server configuration forms, potentially…. A patch is available.

Is there a public PoC exploit available for EUVD-2025-18347?

Yes, a public proof-of-concept exploit is available for EUVD-2025-18347. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate EUVD-2025-18347?

Within 24 hours: Identify all Crafty Controller instances in your environment and document current versions. Within 7 days: Apply the vendor-released patch to all Crafty Controller deployments and verify successful patching. Within 30 days: Review access logs for suspicious input patterns in Server Name and API Key form fields, and conduct a security audit of user accounts with administrative credentials to Crafty Controller.

Crafty Controller EUVD-2025-18347

| CVE-2025-5990 HIGH

Cross-site Scripting (XSS) (CWE-79)

2025-06-15 cve@gitlab.com

XSS Crafty Controller

7.6

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

7.6 HIGH

AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 06:38 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

4.4.10

EUVD ID Assigned

Mar 14, 2026 - 21:57 euvd

EUVD-2025-18347

Analysis Generated

Mar 14, 2026 - 21:57 vuln.today

PoC Detected

Aug 11, 2025 - 18:46 vuln.today

Public exploit code

CVE Published

Jun 15, 2025 - 18:15 nvd

HIGH 7.6

DescriptionCVE.org

An input neutralization vulnerability in the Server Name form and API Key form components of Crafty Controller allows a remote, authenticated attacker to perform stored XSS via malicious form input.

AnalysisAI

Stored cross-site scripting (XSS) vulnerability in Crafty Controller that allows authenticated attackers to inject malicious JavaScript through the Server Name form and API Key form components. An attacker with valid credentials can craft malicious input that persists in the application, executing arbitrary scripts in other users' browsers with the same security context. While CVSS 7.6 indicates high severity and the vulnerability requires low attack complexity with network accessibility, real-world risk is constrained by the requirement for prior authentication and user interaction.

Technical ContextAI

This vulnerability represents a classic input validation and output encoding failure (CWE-79: Improper Neutralization of Input During Web Page Generation). The root cause is insufficient sanitization of user-supplied input in two form components—Server Name and API Key fields—before storing and rendering this data in HTML responses. Crafty Controller fails to implement proper output encoding (HTML entity encoding) or Content Security Policy (CSP) headers that would neutralize malicious script tags. When these form values are rendered server-side in subsequent page loads or administrative dashboards, the stored malicious payload executes in the context of the application domain, affecting any user who views the compromised data. The vulnerability chain: unsanitized input → database persistence → unencoded output → DOM execution.

RemediationAI

IMMEDIATE: Update Crafty Controller to the latest patched version released by the vendor (specific version number requires vendor advisory—typically a minor/patch bump, e.g., 4.x.1 or 5.0.1). 2. VENDOR ADVISORY: Check official Crafty Controller GitHub repository (https://github.com/Arcadia-Digital/Crafty) for security advisories and patch release notes. 3. TEMPORARY MITIGATIONS (if patching is delayed): Restrict form access via network ACLs to trusted IP ranges; implement WAF rules to block script payloads in Server Name and API Key fields; audit existing form submissions for malicious payloads and purge corrupted records; disable API Key form temporarily if non-essential. 4. POST-PATCH: Conduct stored XSS payload sweep of database (search for script tags, event handlers in serialized form data); reset all API keys and server names; audit admin access logs for suspicious activity during exposure window.

EUVD-2025-18347 vulnerability details – vuln.today

Back