CVE-2025-64759

MEDIUM EPSS 18.9%
Published Nov 19, 20257mo ago · Modified Jun 17, 20261w ago
6.1 CVSS 3.1
Medium
Find Similar
Published Nov 19, 2025 7mo ago
Last Modified Jun 17, 2026 1w ago

Description

Homarr is an open-source dashboard. Prior to version 1.43.3, stored XSS vulnerability exists, allowing the execution of arbitrary JavaScript in a user's browser, with minimal or no user interaction required, due to the rendering of a malicious uploaded SVG file. This could be abused to add an attacker's account to the "credentials-admin" group, giving them full administrative access, if a user logged in as an administrator was to view the page which renders or redirects to the SVG. This issue has been patched in version 1.43.3.

CVSS Details

Base Score
6.1
Exploitability
0.9
Impact
5.2
Vector string
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required High
User Interaction Required
Scope Unchanged
Confidentiality High
Integrity High
Availability None

Threat Intelligence

EPSS Exploit Probability
18.9% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 2

CWE-20 Improper Input Validation Validation
CWE-434 Unrestricted Upload of File with Dangerous Type Resource Mgmt

Affected Products 1

VendorProductVersionRange
homarrhomarr* <1.43.3

References 2

  • github.com https://github.com/homarr-labs/homarr/commit/aaa23f37321be1e110f722b36889b2fd3bea2059
    PatchPermissions Required
  • github.com https://github.com/homarr-labs/homarr/security/advisories/GHSA-wj62-c5gr-2x53
    PatchVendor Advisory

Remediation

  • github.com https://github.com/homarr-labs/homarr/commit/aaa23f37321be1e110f722b36889b2fd3bea2059
    PatchPermissions Required
  • github.com https://github.com/homarr-labs/homarr/security/advisories/GHSA-wj62-c5gr-2x53
    PatchVendor Advisory