CVE-2025-34281

Name of the Vulnerable Software and Affected Versions ThingsBoard versions prior to 4.2.1

Description The software contains a stored cross-site scripting (XSS) issue within the dashboard's Image Upload Gallery feature. An attacker can upload a Scalable Vector Graphics (SVG) file containing malicious JavaScript. This JavaScript may be executed when the file is rendered in the user interface. The issue is due to inadequate sanitization and improper content-type validation of uploaded SVG files.

Recommendations Update to version 4.2.1 or later.