NVD Vulnerability Detail

Search Exploit, PoC

NVD脆弱性検索トップ

->

NVD Vulnerability Detail

CVE-2025-64759

Summary	Homarr is an open-source dashboard. Prior to version 1.43.3, stored XSS vulnerability exists, allowing the execution of arbitrary JavaScript in a user's browser, with minimal or no user interaction required, due to the rendering of a malicious uploaded SVG file. This could be abused to add an attacker's account to the "credentials-admin" group, giving them full administrative access, if a user logged in as an administrator was to view the page which renders or redirects to the SVG. This issue has been patched in version 1.43.3.
Publication Date	Nov. 20, 2025, 4:15 a.m.
Registration Date	April 15, 2026, 11:18 a.m.
Last Update	April 15, 2026, 12:42 a.m.

CVSS3.1 : MEDIUM
スコア	6.1
Vector	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	低
攻撃に必要な特権レベル(PR)	高
利用者の関与(UI)	要
影響の想定範囲(S)	変更なし
機密性への影響(C)	高
完全性への影響(I)	高
可用性への影響(A)	なし

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:homarr:homarr::::::::					1.43.3

Related information, measures and tools

No	URL	refsource	タグ
1	https://github.com/homarr-labs/homarr/commit/aaa23f37321be1e110f722b36889b2fd3bea2059	security-advisories@github.com
2	https://github.com/homarr-labs/homarr/security/advisories/GHSA-wj62-c5gr-2x53	security-advisories@github.com

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-20	不適切な入力確認	https://cwe.mitre.org/data/definitions/20.html
2	CWE-434	危険なタイプのファイルの無制限アップロード	https://cwe.mitre.org/data/definitions/434.html