Stored XSS Vulnerability in Homarr Open-Source Dashboard
CVE-2025-64759

8.1HIGH

Key Information:

Vendor: Homarr-labs
Status: Homarr
Vendor: CVE Published:; 19 November 2025

🔔 Create Homarr-labs Vulnerability Alert

What is CVE-2025-64759?

Homarr, an open-source dashboard, is vulnerable to stored XSS due to the improper handling of uploaded SVG files. Prior to version 1.43.3, this vulnerability enabled the execution of arbitrary JavaScript in a user's browser with little to no user interaction. An attacker could exploit this by uploading a malicious SVG file, which when viewed by an administrator, could potentially elevate their privileges to gain full administrative access. This has significant implications for the security of the platform, particularly for users with administrative rights. The issue has been remediated in version 1.43.3, so users are urged to update to this version or later to mitigate any risks.

Affected Version(s)

homarr < 1.43.3

References

https://github.com/homarr-labs/homarr/security/advisories...

x_refsource_CONFIRM

https://github.com/homarr-labs/homarr/commit/aaa23f37321b...

x_refsource_MISC

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 19, 2025
Vulnerability Reserved
Nov 10, 2025

JSON