CVE-2026-1770

MEDIUM

CrafterCMS 4.0.0-4.4.9 - Authenticated Remote Code Execution via Groovy Sandbox Bypass

Title source: llm

Description

Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via Groovy Sandbox Bypass. By inserting malicious Groovy elements, an attacker may bypass sandbox restrictions and obtain RCE (Remote Code Execution).

References (1)

Core 1

Core References

Various Sources

https://docs.craftercms.org/current/security/advisory.html#cv-2026020201

Scores

CVSS v4 4.5

EPSS 0.0043

EPSS Percentile 33.7%

CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/AU:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-913

Status published

Products (2)

CrafterCMS/CrafterCMS 4.0.0 - 4.5.0

org.craftercms/craftercms 4.0.0 - 4.5.0Maven

Published Feb 02, 2026

Tracked Since Feb 18, 2026