CVE-2025-5990 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Crafty Controller

🗓️ 15 Jun 2025 18:01:09Reported by GitLabType

Vulnerability in Crafty Controller allows stored XSS via input in Server Name and API Key forms.

Reporter	Title	Published	Views	Family All 9
Circl	CVE-2025-5990	15 Jun 202519:01	–	circl
CNNVD	Crafty Controller 跨站脚本漏洞	15 Jun 202500:00	–	cnnvd
CVE	CVE-2025-5990	15 Jun 202518:01	–	cve
EUVD	EUVD-2025-18347	3 Oct 202520:07	–	euvd
NVD	CVE-2025-5990	15 Jun 202518:15	–	nvd
OSV	CVE-2025-5990 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Crafty Controller	15 Jun 202518:01	–	osv
Positive Technologies	PT-2025-25503 · Unknown · Crafty Controller	15 Jun 202500:00	–	ptsecurity
RedhatCVE	CVE-2025-5990	17 Jun 202518:21	–	redhatcve
Vulnrichment	CVE-2025-5990 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Crafty Controller	15 Jun 202518:01	–	vulnrichment

[
  {
    "vendor": "Arcadia Technology, LLC",
    "product": "Crafty Controller",
    "versions": [
      {
        "version": "4.2.2",
        "status": "affected",
        "lessThanOrEqual": "4.2.3",
        "versionType": "semver"
      },
      {
        "version": "4.3.0",
        "status": "affected",
        "lessThanOrEqual": "4.3.2",
        "versionType": "semver"
      },
      {
        "version": "4.4.0",
        "status": "affected",
        "lessThan": "4.4.10",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

Source	Link
gitlab	www.gitlab.com/crafty-controller/crafty-4/-/issues/567

15 Jun 2025 18:01Current

CVSS 3.17.6

EPSS0.00213

CWE-79