PT-2025-47516 · Homarr · Homarr

Published

2025-11-19

Updated

2025-11-21

CVE-2025-64759

CVSS v3.1

8.1

High

Vector

AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions Homarr versions prior to 1.43.3

Description A stored cross-site scripting (XSS) issue exists in Homarr Dashboard. The issue allows the execution of arbitrary JavaScript in a user's browser with minimal user interaction. This is due to the rendering of a malicious uploaded SVG file. An attacker could potentially add their account to the "credentials-admin" group, gaining full administrative access if an administrator views the page rendering the SVG.

Recommendations Update to version 1.43.3 or later.

Exploit

Fix

LPE

Unrestricted File Upload

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-434CWE-20

Related Identifiers

CVE-2025-64759

GHSA-WJ62-C5GR-2X53

Affected Products

Homarr

PT-2025-47516 · Homarr · Homarr

CVE-2025-64759

Weakness Enumeration

Related Identifiers

Affected Products

References · 10