CVE-2025-64759

Homarr is an open-source dashboard. Prior to version 1.43.3, stored XSS vulnerability exists, allowing the execution of arbitrary JavaScript in a user's browser, with minimal or no user interaction required, due to the rendering of a malicious uploaded SVG file. This could be abused to add an attacker's account to the "credentials-admin" group, giving them full administrative access, if a user logged in as an administrator was to view the page which renders or redirects to the SVG. This issue has been patched in version 1.43.3.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.7 / Impact : 5.8

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/homarr-labs/homarr/commit/aaa23f37321be1e110f722b36889b2fd3bea2059	Patch Permissions Required
https://github.com/homarr-labs/homarr/security/advisories/GHSA-wj62-c5gr-2x53	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:homarr:homarr:*:*:*:*:*:*:*:*

History

14 Apr 2026, 15:42

Type	Values Removed	Values Added
References	~~() https://github.com/homarr-labs/homarr/commit/aaa23f37321be1e110f722b36889b2fd3bea2059 -~~	() https://github.com/homarr-labs/homarr/commit/aaa23f37321be1e110f722b36889b2fd3bea2059 - Patch, Permissions Required
References	~~() https://github.com/homarr-labs/homarr/security/advisories/GHSA-wj62-c5gr-2x53 -~~	() https://github.com/homarr-labs/homarr/security/advisories/GHSA-wj62-c5gr-2x53 - Patch, Vendor Advisory
CPE		cpe:2.3:a:homarr:homarr::::::::
First Time		Homarr Homarr homarr

19 Nov 2025, 19:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-11-19 19:15

Updated : 2026-04-14 15:42

NVD link : CVE-2025-64759

Mitre link : CVE-2025-64759

CVE.ORG link : CVE-2025-64759

JSON object : View

Products Affected

homarr

homarr

CWE

CWE-20

Improper Input Validation

CWE-434

Unrestricted Upload of File with Dangerous Type

{"id": "CVE-2025-64759", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.8, "exploitabilityScore": 1.7}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 0.9}]}, "published": "2025-11-19T19:15:49.963", "references": [{"url": "https://github.com/homarr-labs/homarr/commit/aaa23f37321be1e110f722b36889b2fd3bea2059", "tags": ["Patch", "Permissions Required"], "source": "security-advisories@github.com"}, {"url": "https://github.com/homarr-labs/homarr/security/advisories/GHSA-wj62-c5gr-2x53", "tags": ["Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-434"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-434"}]}], "descriptions": [{"lang": "en", "value": "Homarr is an open-source dashboard. Prior to version 1.43.3, stored XSS vulnerability exists, allowing the execution of arbitrary JavaScript in a user's browser, with minimal or no user interaction required, due to the rendering of a malicious uploaded SVG file. This could be abused to add an attacker's account to the \"credentials-admin\" group, giving them full administrative access, if a user logged in as an administrator was to view the page which renders or redirects to the SVG. This issue has been patched in version 1.43.3."}], "lastModified": "2026-04-14T15:42:45.563", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:homarr:homarr:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5B201889-9433-4F89-888C-7C83A6487CD7", "versionEndExcluding": "1.43.3"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}