CVE-2025-64759

CVE-2025-64759 is a stored cross-site scripting (XSS) vulnerability in Homarr, an open-source dashboard application. Versions prior to 1.43.3 are affected due to improper handling of uploaded SVG files, which allows the execution of arbitrary JavaScript in a victim's browser when the malicious file is rendered. The issue is linked to CWE-20 (Improper Input Validation) and CWE-434 (Unrestricted Upload of File with Dangerous Type), earning a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N).

An authenticated attacker with high privileges can exploit this by uploading a malicious SVG file. If an administrator views a page that renders or redirects to the SVG, the stored XSS payload executes with minimal or no further user interaction, enabling the attacker to manipulate the application in the admin's context. This can be abused to add the attacker's account to the "credentials-admin" group, granting full administrative access to the Homarr instance.

The vulnerability has been patched in Homarr version 1.43.3. Official mitigation guidance is available in the Homarr security advisory (GHSA-wj62-c5gr-2x53) and the corresponding patch commit (aaa23f37321be1e110f722b36889b2fd3bea2059) on GitHub, recommending immediate upgrades for affected deployments.