{ "affected": [ { "ranges": [ { "database_specific": { "versions": [ { "introduced": "4.2.2" }, { "last_affected": "4.2.3" } ] }, "events": [ { "introduced": "3fd7638082c10c3f3356a3d681f6d2342998b499" }, { "last_affected": "ddee3eaea783f728c23785889ed77d6f678aa6ec" } ], "repo": "https://gitlab.com/crafty-controller/crafty-4", "type": "GIT" }, { "database_specific": { "versions": [ { "introduced": "4.3.0" }, { "last_affected": "4.3.2" } ] }, "events": [ { "introduced": "0a296a0095d1bedd779fffae95ad4d198f28004f" }, { "last_affected": "6652541876b9ab8f14e0fbaf5fe3b7bb624546d2" } ], "repo": "https://gitlab.com/crafty-controller/crafty-4", "type": "GIT" }, { "database_specific": { "versions": [ { "introduced": "4.4.0" }, { "fixed": "4.4.10" } ] }, "events": [ { "introduced": "e4f96f91180017b46cd0e0c00e119d81845848ec" }, { "fixed": "0d37806af83c09a47c4b2b755a17860c644d637b" } ], "repo": "https://gitlab.com/crafty-controller/crafty-4", "type": "GIT" } ] } ], "database_specific": { "cna_assigner": "GitLab", "cwe_ids": [ "CWE-79" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/5xxx/CVE-2025-5990.json" }, "details": "An input neutralization vulnerability in the Server Name form and API Key form components of Crafty Controller allows a remote, authenticated attacker to perform stored XSS via malicious form input.", "id": "CVE-2025-5990", "modified": "2026-04-01T23:10:10.232787475Z", "published": "2025-06-15T18:01:09.667Z", "references": [ { "type": "ADVISORY", "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/5xxx/CVE-2025-5990.json" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5990" }, { "type": "REPORT", "url": "https://gitlab.com/crafty-controller/crafty-4/-/issues/567" } ], "schema_version": "1.7.3", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N", "type": "CVSS_V3" } ], "summary": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Crafty Controller" }