CVE-2026-1770

Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via Groovy Sandbox Bypass. By inserting malicious Groovy elements, an attacker may bypass sandbox restrictions and obtain RCE (Remote Code Execution).

CVSS

No CVSS.

References

Link	Resource
https://docs.craftercms.org/current/security/advisory.html#cv-2026020201

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) Vulnerabilidad de Control Inadecuado de Recursos de Código Gestionados Dinámicamente en Crafter Studio de Crafter CMS permite a desarrolladores autenticados ejecutar comandos del sistema operativo a través de una Omisión de Sandbox de Groovy. Al insertar elementos Groovy maliciosos, un atacante puede omitir las restricciones de la sandbox y obtener RCE (Ejecución Remota de Código).

02 Feb 2026, 17:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-02 17:16

Updated : 2026-04-15 00:35

NVD link : CVE-2026-1770

Mitre link : CVE-2026-1770

CVE.ORG link : CVE-2026-1770

JSON object : View

Products Affected

No product.

CWE

CWE-913

Improper Control of Dynamically-Managed Code Resources

{"id": "CVE-2026-1770", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security@craftersoftware.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 4.5, "Automatable": "NO", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:X/V:X/RE:X/U:X", "exploitMaturity": "UNREPORTED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-02T17:16:17.643", "references": [{"url": "https://docs.craftercms.org/current/security/advisory.html#cv-2026020201", "source": "security@craftersoftware.com"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "security@craftersoftware.com", "description": [{"lang": "en", "value": "CWE-913"}]}], "descriptions": [{"lang": "en", "value": "Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via Groovy Sandbox Bypass. By inserting malicious Groovy elements, an attacker may bypass sandbox restrictions and obtain RCE (Remote Code Execution)."}, {"lang": "es", "value": "Vulnerabilidad de Control Inadecuado de Recursos de C\u00f3digo Gestionados Din\u00e1micamente en Crafter Studio de Crafter CMS permite a desarrolladores autenticados ejecutar comandos del sistema operativo a trav\u00e9s de una Omisi\u00f3n de Sandbox de Groovy. Al insertar elementos Groovy maliciosos, un atacante puede omitir las restricciones de la sandbox y obtener RCE (Ejecuci\u00f3n Remota de C\u00f3digo)."}], "lastModified": "2026-04-15T00:35:42.020", "sourceIdentifier": "security@craftersoftware.com"}