Stored Cross-Site Scripting Vulnerability in ThingsBoard Dashboard by ThingsBoard
CVE-2025-34281

6.2MEDIUM

Key Information:

Vendor

Thingsboard

Status
Thingsboard
Vendor
CVE Published:
17 October 2025

What is CVE-2025-34281?

An XSS vulnerability exists in the ThingsBoard dashboard's Image Upload Gallery, where versions prior to 4.2.1 improperly handle SVG file uploads. By exploiting insufficient sanitization and validation of content types, an attacker can upload a malicious SVG file, allowing them to execute harmful JavaScript within the application's user interface. This vulnerability highlights critical security concerns regarding user-generated content and the importance of implementing strict validation measures.

Affected Version(s)

thingsboard 0 < 4.2.1

References

https://advisory.checkmarx.net/advisory/CVE-2025-34281/
third-party-advisory
https://github.com/thingsboard/thingsboard/commit/b2ae6f9...
patch
https://github.com/thingsboard/thingsboard/releases/tag/v...
release-notes

CVSS V4

Score:
6.2
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Tamil Mathi
.