ThingsBoard < v4.2.1 SVG Image Stored XSS

Advisories

severity: medium
date: October 17, 2025
Affecting: ThingsBoard < v4.2.1
CVE: CVE-2025-34281
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
CVSS: 5.1
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
References: ThingsBoard Release Notes
ThingsBoard Patch PR
Credit: Tamil Mathi
Description: ThingsBoard versions < 4.2.1 contain a stored cross-site scripting (XSS) vulnerability in the dashboard's Image Upload Gallery feature. An attacker can upload an SVG file containing malicious JavaScript, which may be executed when the file is rendered in the UI. This issue results from insufficient sanitization and improper content-type validation of uploaded SVG files.