Primary

Context

ThingsBoard Stored Cross-Site Scripting Vulnerability via Malicious SVG Image Upload

Vulnerability

Patched

A stored cross-site scripting vulnerability has been identified in ThingsBoard versions prior to 4.2.1. This issue allows authenticated users to upload harmful SVG images through the 'Image Gallery'. The vulnerability arises because the 'ImageController' does not properly sanitize JavaScript execution when images are loaded in users' browsers. Exploitation can occur when the malicious SVGs are accessed via the public API or embedded in an 'iframe' during widget creation, deployment, and normal platform use. This flaw could enable the execution of harmful code in the context of other users' sessions, potentially compromising their accounts and allowing unauthorized actions.

Impact

Exploitation of this vulnerability could lead to stored cross-site scripting, allowing for the execution of malicious scripts in the context of the affected user.

Remediation

Users can update to ThingsBoard version 4.2.1 or later, where this vulnerability has been addressed.

Added: Nov 27, 2025, 6:18 PM

Updated: Nov 27, 2025, 6:18 PM

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

1.7

exploitability

5.7

remediation

7.7

relevance

1.1

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

1.7

exploitability

5.7

remediation

7.7

relevance

1.1

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

ThingsBoard Stored Cross-Site Scripting Vulnerability via Malicious SVG Image Upload

Vulnerability

Impact

Remediation

Affected Products

ThingsBoard

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating