Vulnerability Details CVE-2025-64176
ThinkDashboard is a self-hosted bookmark dashboard built with Go and vanilla JavaScript. In versions 0.6.7 and below, an attacker can upload any file they wish to the /data directory of the web application via the backup import feature. When importing a backup, an attacker can first choose a .zip file to bypass the client-side file-type verification. This could lead to stored XSS, or be used for other nefarious purposes such as malware distribution. This issue is fixed in version 0.6.8.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 19.8%
CVSS Severity
CVSS v3 Score 5.3
References
Products affected by CVE-2025-64176
-
cpe:2.3:a:matiasdesuu:thinkdashboard:0.2
-
cpe:2.3:a:matiasdesuu:thinkdashboard:0.2.1
-
cpe:2.3:a:matiasdesuu:thinkdashboard:0.3
-
cpe:2.3:a:matiasdesuu:thinkdashboard:0.3.1
-
cpe:2.3:a:matiasdesuu:thinkdashboard:0.4
-
cpe:2.3:a:matiasdesuu:thinkdashboard:0.4.5
-
cpe:2.3:a:matiasdesuu:thinkdashboard:0.5
-
cpe:2.3:a:matiasdesuu:thinkdashboard:0.5.5
-
cpe:2.3:a:matiasdesuu:thinkdashboard:0.6
-
cpe:2.3:a:matiasdesuu:thinkdashboard:0.6.5
-
cpe:2.3:a:matiasdesuu:thinkdashboard:0.6.6
-
cpe:2.3:a:matiasdesuu:thinkdashboard:0.6.7