ThinkDashboard Cross-Site Scripting Vulnerability

ThinkDashboard is a lightweight, self-hosted bookmarking dashboard. A cross-site scripting vulnerability exists in ThinkDashboard version 0.6.7 and earlier, which stems from a lack of schema filtering and can be exploited by an attacker to cause a stored cross-site scripting attack...

CVE-2025-64177

ThinkDashboard is a self-hosted bookmark dashboard built with Go and vanilla JavaScript. In versions 0.6.7 and below, there is a stored Cross-Site Scripting XSS vulnerability in the dashboard, which can exploited when a user clicks on a malicious bookmark, made vulnerable by the lack of scheme...

CVE-2025-64327

ThinkDashboard is a self-hosted bookmark dashboard built with Go and vanilla JavaScript. Versions 0.6.7 and below contain a Blind Server-Side Request Forgery SSRF vulnerability, in its /api/ping?url= endpoint. This allows an attacker to make arbitrary requests to internal or external hosts. This...

CVE-2025-64176

ThinkDashboard is a self-hosted bookmark dashboard built with Go and vanilla JavaScript. In versions 0.6.7 and below, an attacker can upload any file they wish to the /data directory of the web application via the backup import feature. When importing a backup, an attacker can first choose a .zip...

CVE-2025-64177

ThinkDashboard is a self-hosted bookmark dashboard built with Go and vanilla JavaScript. In versions 0.6.7 and below, there is a stored Cross-Site Scripting XSS vulnerability in the dashboard, which can exploited when a user clicks on a malicious bookmark, made vulnerable by the lack of scheme...

CVE-2025-64176

ThinkDashboard is a self-hosted bookmark dashboard built with Go and vanilla JavaScript. In versions 0.6.7 and below, an attacker can upload any file they wish to the /data directory of the web application via the backup import feature. When importing a backup, an attacker can first choose a .zip...

CVE-2025-64177 ThinkDashboard: Stored XSS in Dashboard via Malicious Bookmark

ThinkDashboard is a self-hosted bookmark dashboard built with Go and vanilla JavaScript. In versions 0.6.7 and below, there is a stored Cross-Site Scripting XSS vulnerability in the dashboard, which can exploited when a user clicks on a malicious bookmark, made vulnerable by the lack of scheme...

EUVD-2025-38184

ThinkDashboard is a self-hosted bookmark dashboard built with Go and vanilla JavaScript. In versions 0.6.7 and below, there is a stored Cross-Site Scripting XSS vulnerability in the dashboard, which can exploited when a user clicks on a malicious bookmark, made vulnerable by the lack of scheme...

CVE-2025-64177 ThinkDashboard: Stored XSS in Dashboard via Malicious Bookmark

ThinkDashboard is a self-hosted bookmark dashboard built with Go and vanilla JavaScript. In versions 0.6.7 and below, there is a stored Cross-Site Scripting XSS vulnerability in the dashboard, which can exploited when a user clicks on a malicious bookmark, made vulnerable by the lack of scheme...

CVE-2025-64177

ThinkDashboard is a self-hosted bookmark dashboard (Go/JavaScript). A stored XSS vulnerability exists in versions 0.6.7 and earlier caused by lack of scheme filtering when processing bookmarks. Exploitation occurs when a user clicks a malicious bookmark, enabling stored XSS as described in multip...

CVE-2025-64177 ThinkDashboard: Stored XSS in Dashboard via Malicious Bookmark

ThinkDashboard is a self-hosted bookmark dashboard built with Go and vanilla JavaScript. In versions 0.6.7 and below, there is a stored Cross-Site Scripting XSS vulnerability in the dashboard, which can exploited when a user clicks on a malicious bookmark, made vulnerable by the lack of scheme...

CVE-2025-64327

ThinkDashboard is a self-hosted bookmark dashboard built with Go and vanilla JavaScript. Versions 0.6.7 and below contain a Blind Server-Side Request Forgery SSRF vulnerability, in its /api/ping?url= endpoint. This allows an attacker to make arbitrary requests to internal or external hosts. This...

CVE-2025-64176 ThinkDashboard: Arbitrary File Upload vulnerability in the Backup Import Feature

ThinkDashboard is a self-hosted bookmark dashboard built with Go and vanilla JavaScript. In versions 0.6.7 and below, an attacker can upload any file they wish to the /data directory of the web application via the backup import feature. When importing a backup, an attacker can first choose a .zip...

EUVD-2025-38185

ThinkDashboard is a self-hosted bookmark dashboard built with Go and vanilla JavaScript. In versions 0.6.7 and below, an attacker can upload any file they wish to the /data directory of the web application via the backup import feature. When importing a backup, an attacker can first choose a .zip...

CVE-2025-64176 ThinkDashboard: Arbitrary File Upload vulnerability in the Backup Import Feature

ThinkDashboard is a self-hosted bookmark dashboard built with Go and vanilla JavaScript. In versions 0.6.7 and below, an attacker can upload any file they wish to the /data directory of the web application via the backup import feature. When importing a backup, an attacker can first choose a .zip...

CVE-2025-64176

ThinkDashboard versions ≤ 0.6.7 are affected by an Arbitrary File Upload vulnerability in the Backup Import feature. An attacker can upload any file to the /data directory by selecting a ZIP for backup import, bypassing client-side file-type verification, potentially leading to stored XSS or malw...

CVE-2025-64176 ThinkDashboard: Arbitrary File Upload vulnerability in the Backup Import Feature

ThinkDashboard is a self-hosted bookmark dashboard built with Go and vanilla JavaScript. In versions 0.6.7 and below, an attacker can upload any file they wish to the /data directory of the web application via the backup import feature. When importing a backup, an attacker can first choose a .zip...

CVE-2025-64327 ThinkDashboard: Blind Server-Side Request Forgery (SSRF) vulnerability in /api/ping Endpoint

ThinkDashboard is a self-hosted bookmark dashboard built with Go and vanilla JavaScript. Versions 0.6.7 and below contain a Blind Server-Side Request Forgery SSRF vulnerability, in its /api/ping?url= endpoint. This allows an attacker to make arbitrary requests to internal or external hosts. This...

CVE-2025-64327 ThinkDashboard: Blind Server-Side Request Forgery (SSRF) vulnerability in /api/ping Endpoint

ThinkDashboard is a self-hosted bookmark dashboard built with Go and vanilla JavaScript. Versions 0.6.7 and below contain a Blind Server-Side Request Forgery SSRF vulnerability, in its /api/ping?url= endpoint. This allows an attacker to make arbitrary requests to internal or external hosts. This...

CVE-2025-64327

CVE-2025-64327 affects ThinkDashboard (Go + JavaScript) and is caused by a blind SSRF in the /api/ping?url= endpoint in versions 0.6.7 and earlier. An attacker can cause the application to perform arbitrary requests to internal or external hosts, potentially revealing local network topology and o...