CVE-2025-14700CRITICAL 9.9EPSS p49.2%

CVE-2025-14700CVE-2025-14700

Description

An input neutralization vulnerability in the Webhook Template component of Crafty Controller allows a remote, authenticated attacker to perform remote code execution via Server Side Template Injection.

Scoring

CVSS 3.19.9 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS0.72% probability of exploitation · percentile 49.2% · 2026-06-18T12:00:27Z
Published2025-12-17
Last modified2025-12-23

Underlying weaknesses· 1

CWE-1336

References

  1. https://gitlab.com/crafty-controller/crafty-4/-/issues/646

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements Used in a Template Enginecwe-13360%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
Craft CMS Code Injection Vulnerability
CVE
CVE-2026-0963
CVE
CVE-2026-0805
CVE
CVE-2026-5652
CVE
CVE-2025-61492
CVE
CVE-2025-68454
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.