Input Neutralization Flaw in Crafty Controller Webhook Template
CVE-2025-14700

9.9CRITICAL

Key Information:

Vendor: Arcadia Technology, Llc
Status: Crafty Controller
Vendor: CVE Published:; 17 December 2025

🔔 Create Arcadia Technology, Llc Vulnerability Alert

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-14700?

An input neutralization flaw in the Webhook Template component of Crafty Controller allows authenticated attackers to execute arbitrary code remotely via Server Side Template Injection. This vulnerability can lead to significant security risks, enabling malicious actors to potentially manipulate server-side logic and access sensitive information.

Affected Version(s)

Crafty Controller 4.6.1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-14700-poc
Created by Nosiume

References

https://gitlab.com/crafty-controller/crafty-4/-/issues/646

issue-trackingpermissions-required

CVSS V3.1

Score:

9.9

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Dec 18, 2025
👾
Exploit known to exist
Dec 18, 2025
Vulnerability published
Dec 17, 2025
Vulnerability Reserved
Dec 14, 2025

Credit

Thank you to [Rozza / rchar](https://gitlab.com/rchar) on GitLab for reporting this issue.

JSON