CVE-2025-3261

Name of the Vulnerable Software and Affected Versions ThingsBoard versions prior to 4.2.1

Description An authenticated user can upload malicious SVG images through the "Image Gallery". This leads to a Stored Cross-Site Scripting (XSS) issue. The exploit is triggered when any user accesses the public API endpoint of the malicious SVG images, or if the images are embedded in an iframe element. The vulnerability is located in the ImageController, which does not restrict JavaScript execution when an image is loaded. This can result in the execution of malicious code within other users' sessions, potentially compromising accounts and enabling unauthorized actions. The affected API endpoint is not explicitly specified beyond being a public API endpoint for SVG images.

Recommendations Update ThingsBoard to version 4.2.1 or later.