CVE-2025-64176

Name of the Vulnerable Software and Affected Versions ThinkDashboard versions 0.6.7 and below

Description ThinkDashboard, a self-hosted bookmark dashboard built with Go and vanilla JavaScript, has an issue where an attacker can upload arbitrary files to the '/data' directory of the web application. This is possible through the backup import feature, bypassing client-side file-type verification by uploading a '.zip' file. Successful exploitation could lead to stored cross-site scripting (XSS) or malware distribution.

Recommendations Update to version 0.6.8 or later.