CVE-2026-0805

High

Published: 30 January 2026

Published

30 January 2026

Modified

26 February 2026

KEV Added

—

Patch

—

CVSS Score 8.2 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N

EPSS Score 0.0005 16.6th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-0805 is a high-severity Path Traversal (CWE-22) vulnerability in Craftycontrol Crafty Controller. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validation of user-supplied inputs in the Backup Configuration component to neutralize path traversal payloads and prevent file tampering and RCE.

SI-9 Information Input Restrictions good match

prevent

Restricts backup configuration inputs to organization-defined safe paths and formats at the application interface, blocking unauthorized directory traversal attempts.

SI-2 Flaw Remediation good match

prevent

Mandates timely identification, reporting, and patching of the specific input neutralization flaw documented in the Crafty Controller GitLab issue, eliminating the vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059 Command and Scripting Interpreter Execution

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.

attack.mitre.org →

Why these techniques?

Path traversal in public-facing Crafty Controller web app directly enables T1190 exploitation; resulting file tampering and RCE map to T1059 command execution.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

An input neutralization vulnerability in the Backup Configuration component of Crafty Controller allows a remote, authenticated attacker to perform file tampering and remote code execution via path traversal.

Deeper analysisAI

CVE-2026-0805 is an input neutralization vulnerability, classified under CWE-22 (path traversal), affecting the Backup Configuration component of Crafty Controller. This flaw enables improper handling of user-supplied input, allowing attackers to traverse directories and manipulate files outside intended paths. The vulnerability was published on 2026-01-30 and carries a CVSS v3.1 base score of 8.2 (AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N), indicating high confidentiality and integrity impacts with no availability disruption.

A remote, authenticated attacker with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) by crafting malicious inputs during backup configuration operations. Successful exploitation leads to file tampering and remote code execution (RCE), potentially allowing the attacker to alter critical files or execute arbitrary commands within the application's scope (S:C), though it requires high attack complexity (AC:H).

The primary advisory reference is a GitLab issue at https://gitlab.com/crafty-controller/crafty-4/-/issues/650, which documents the vulnerability in Crafty Controller's repository and likely includes details on patches or workarounds for mitigation.