Template Injection Vulnerability in ThingsBoard IoT Platform
CVE-2025-9094

4.3MEDIUM

Key Information:

Vendor: ThingsBoard
Status: ThingsBoard IoT Platform
Vendor: CVE Published:; 17 August 2025

🔔 Create ThingsBoard Vulnerability Alert

What is CVE-2025-9094?

A vulnerability in ThingsBoard 4.1 has been identified that affects the Add Gateway Handler component, allowing for improper neutralization of special elements when utilized in a template engine. This issue can be exploited remotely, posing a risk to the integrity of the system. The vendor has acknowledged the issue and plans to release a fix in the upcoming version 4.2, which will also be included in maintenance releases for long-term support versions starting from 4.0.

References

https://drive.google.com/file/d/1cZy-rfQXsF58kJIVs4UXj7us...

https://vuldb.com/?ctiid.320416

https://vuldb.com/?id.320416

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 17, 2025