CVE-2025-64176 — MEDIUM (5.3)

Q: How severe is CVE-2025-64176?

CVE-2025-64176 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2025-64176?

Check the references section above for vendor advisories and patch information. Affected products include: Matiasdesuu Thinkdashboard.

Vulnerability Description

ThinkDashboard is a self-hosted bookmark dashboard built with Go and vanilla JavaScript. In versions 0.6.7 and below, an attacker can upload any file they wish to the /data directory of the web application via the backup import feature. When importing a backup, an attacker can first choose a .zip file to bypass the client-side file-type verification. This could lead to stored XSS, or be used for other nefarious purposes such as malware distribution. This issue is fixed in version 0.6.8.

CVSS Score

5.3

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Matiasdesuu	Thinkdashboard	< 0.6.8

Related Weaknesses (CWE)

CWE-20 CWE-79 CWE-434

References

FAQ

What is CVE-2025-64176?

CVE-2025-64176 is a vulnerability with a CVSS score of 5.3 (MEDIUM). ThinkDashboard is a self-hosted bookmark dashboard built with Go and vanilla JavaScript. In versions 0.6.7 and below, an attacker can upload any file they wish to the /data directory of the web applic...

How severe is CVE-2025-64176?

CVE-2025-64176 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-64176?

Check the references section above for vendor advisories and patch information. Affected products include: Matiasdesuu Thinkdashboard.