CVE-2026-1770
Groovy Sandbox Bypass in Crafter Studio Enables Remote Code Execution
Publication date: 2026-02-02
Last updated on: 2026-02-02
Assigner: Crafter CMS
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| craftersoftware | craftercms | From 4.0 (inc) to 4.5.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-913 | The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-1770 is a vulnerability in Crafter Studio of Crafter CMS that allows authenticated developers to bypass Groovy sandbox restrictions by inserting malicious Groovy elements. This improper control of dynamically-managed code resources enables attackers to execute operating system commands remotely, leading to Remote Code Execution (RCE). It is classified under CWE-913 and involves Remote Code Inclusion attacks. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker with authenticated developer access to execute arbitrary OS commands on the affected system remotely. This can lead to unauthorized control over the system, potential data breaches, system compromise, and disruption of services. [1]