CVE-2026-1770: Crafter CMS has Improper Control of Dynamically-Managed Code Resources

February 2, 2026

Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via Groovy Sandbox Bypass. By inserting malicious Groovy elements, an attacker may bypass sandbox restrictions and obtain RCE (Remote Code Execution).

References

docs.craftercms.org/current/security/advisory.html
github.com/advisories/GHSA-gj28-gw7w-3pxc
github.com/craftercms/craftercms
nvd.nist.gov/vuln/detail/CVE-2026-1770

Code Behaviors & Features

Detect and mitigate CVE-2026-1770 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →