CVE-2025-34281
MEDIUM5.4EPSS 0.03%ThingsBoard vulnerable to stored cross-site scripting (XSS) vulnerability in the dashboard's Image Upload Gallery feature
Published: 10/17/2025Modified: 2/10/2026
Description
ThingsBoard versions < 4.2.1 contain a stored cross-site scripting (XSS) vulnerability in the dashboard's Image Upload Gallery feature. An attacker can upload an SVG file containing malicious JavaScript, which may be executed when the file is rendered in the UI. This issue results from insufficient sanitization and improper content-type validation of uploaded SVG files.
Affected packages (1)
- Maven/org.thingsboard:applicationfrom 0, < 4.2.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
| osv | CVSS 3.1 | MEDIUM5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
References (8)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-34281
- PATCHhttps://github.com/thingsboard/thingsboard
- WEBhttps://advisory.checkmarx.net/advisory/CVE-2025-3261
- WEBhttps://advisory.checkmarx.net/advisory/CVE-2025-34281
- WEBhttps://github.com/thingsboard/thingsboard/commit/b2ae6f92d12206ea185a2e882945a6b69234bf03
- WEBhttps://github.com/thingsboard/thingsboard/pull/13927
- WEBhttps://github.com/thingsboard/thingsboard/releases/tag/v4.2.1
- WEBhttps://www.vulncheck.com/advisories/thingsboard-svg-image-stored-xss