CVE-2025-64759
BaseFortify
Publication date: 2025-11-19
Last updated on: 2026-04-14
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| homarr | homarr | to 1.43.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a stored Cross-Site Scripting (XSS) issue in Homarr versions prior to 1.43.3. It occurs because the application improperly renders malicious SVG files uploaded by an attacker. When an administrator views a page that renders or redirects to the malicious SVG, arbitrary JavaScript code can execute in their browser with minimal or no user interaction. This can allow the attacker to escalate privileges by adding their account to the 'credentials-admin' group, granting full administrative access.
How can this vulnerability impact me? :
This vulnerability can lead to an attacker gaining full administrative access to the Homarr dashboard by exploiting the stored XSS flaw. If an administrator views the malicious SVG, the attacker can execute arbitrary JavaScript to add their account to the 'credentials-admin' group. This compromises the security and integrity of the system, potentially allowing unauthorized control and access to sensitive information or administrative functions.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Homarr to version 1.43.3 or later, as this version contains the patch that fixes the stored XSS vulnerability caused by malicious SVG file rendering.