CVE-2026-9568

MEDIUM 5.0

ThingsBoard YAML provision getGatewayDockerComposeFile code injection

CVSS Score

5.0

EPSS Score

0.0%

EPSS Percentile

11th

A weakness has been identified in ThingsBoard up to 4.3.1.1. Affected by this vulnerability is the function getGatewayDockerComposeFile of the file /api/v1/provision of the component YAML Handler. This manipulation causes code injection. It is possible to initiate the attack remotely. The attack's complexity is rated as high. The exploitation appears to be difficult. The project was informed of the problem early through a pull request but has not reacted yet.

CWE	CWE-94 CWE-74
Vendor	n/a
Product	thingsboard
Published	May 26, 2026
Last Updated	May 27, 2026

Stay Ahead of the Next One

Get instant alerts for n/a thingsboard

Be the first to know when new medium vulnerabilities affecting n/a thingsboard are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

n/a / ThingsBoard

4.3.1.0 4.3.1.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

vuldb.com: https://vuldb.com/vuln/365630 vuldb.com: https://vuldb.com/vuln/365630/cti vuldb.com: https://vuldb.com/submit/817064 github.com: https://github.com/thingsboard/thingsboard/pull/15550 github.com: https://github.com/thingsboard/thingsboard/

Credits

🔍 sunshinetoyou (VulDB User) VulDB CNA Team