CVE-2025-34282

UNKNOWN 0.0

ThingsBoard < v4.2.1 SVG Image SSRF

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

ThingsBoard versions < 4.2.1 contain a server-side request forgery (SSRF) vulnerability in the dashboard's Image Upload Gallery feature. An attacker can upload a malicious SVG file that references a remote URL. If the server processes the SVG file in a way that parses external references, it may initiate unintended outbound requests. This can be used to access internal services or resources.

CWE	CWE-918
Vendor	thingsboard, inc.
Product	thingsboard
Published	Oct 17, 2025
Last Updated	Jun 23, 2026

Stay Ahead of the Next One

Get instant alerts for thingsboard, inc. thingsboard

Be the first to know when new unknown vulnerabilities affecting thingsboard, inc. thingsboard are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

ThingsBoard, Inc. / ThingsBoard

0 < 4.2.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/thingsboard/thingsboard/releases/tag/v4.2.1 github.com: https://github.com/thingsboard/thingsboard/pull/13927 vulncheck.com: https://www.vulncheck.com/advisories/thingsboard-svg-image-ssrf

Credits

Tamil Mathi