threat
engine
.sh
Back
·
··:··
Home
/
Product
/
thingsboard
Product
thingsboard
15 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
Sort
Newest first
Oldest first
Highest CVSS
Lowest CVSS
Min CVSS
Any
4.0+
7.0+ (High)
9.0+ (Critical)
Published since
Reset
CVE-2025-34282
< 4.2.1
ThingsBoard versions < 4.2.1 contain a server-side request forgery (SSRF) vulnerability in the dashboard's Image Upload Gallery fe
9.1
CRITICAL
CVE-2025-34281
< 4.2.1
ThingsBoard in versions prior to v4.2.1 allows an authenticated user to upload malicious SVG images via the "Image Gallery", leadi
5.4
MEDIUM
CVE-2025-9094
all versions
A vulnerability was detected in ThingsBoard 4.1. This vulnerability affects unknown code of the component Add Gateway Handler. The
4.3
MEDIUM
CVE-2024-55466
<= 3.8.1
An arbitrary file upload vulnerability in the Image Gallery of ThingsBoard Community, ThingsBoard Cloud and ThingsBoard Profession
6.5
MEDIUM
CVE-2024-9358
<= 3.7
A vulnerability has been found in ThingsBoard up to 3.7.0 and classified as problematic. Affected by this vulnerability is an unkn
5.3
MEDIUM
CVE-2024-3270
<= 3.6.2
A vulnerability classified as problematic was found in ThingsBoard up to 3.6.2. This vulnerability affects unknown code of the com
3.8
LOW
CVE-2023-45303
< 3.5
ThingsBoard before 3.5 allows Server-Side Template Injection if users are allowed to modify an email template, because Apache Free
8.4
HIGH
CVE-2022-45608
all versions
An issue was discovered in ThingsBoard 3.4.1, allows low privileged attackers (CUSTOMER_USER) to gain escalated privileges (vertic
8.8
HIGH
CVE-2023-26462
all versions
ThingsBoard 3.4.1 could allow a remote attacker to gain elevated privileges because hard-coded service credentials (usable for pri
8.1
HIGH
CVE-2022-48341
all versions
ThingsBoard 3.4.1 could allow a remote authenticated attacker to achieve Vertical Privilege Escalation. A Tenant Administrator can
8.8
HIGH
CVE-2022-40004
all versions
Cross Site Scripting (XSS) vulnerability in Things Board 3.4.1 allows remote attackers to escalate privilege via crafted URL to th
9.6
CRITICAL
CVE-2022-31861
<= 3.3.4.1
Cross site Scripting (XSS) in ThingsBoard IoT Platform through 3.3.4.1 via a crafted value being sent to the audit logs.
5.4
MEDIUM
CVE-2021-42751
all versions
A cross-site scripting (XSS) vulnerability in Rule Engine in ThingsBoard 3.3.1 allows remote attackers (with administrative access
4.8
MEDIUM
CVE-2021-42750
all versions
A cross-site scripting (XSS) vulnerability in Rule Engine in ThingsBoard 3.3.1 allows remote attackers (with administrative access
4.8
MEDIUM
CVE-2020-27687
< 3.2
ThingsBoard before v3.2 is vulnerable to Host header injection in password-reset emails. This allows an attacker to send malicious
8.8
HIGH
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin