ThinkDashboard is a self-hosted bookmark dashboard application developed using Go and vanilla JavaScript. Versions 0.6.7 and earlier contain a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2025-64177, classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The vulnerability stems from insufficient input sanitization, specifically the lack of scheme filtering on user-submitted bookmarks. This allows an attacker to craft a malicious bookmark containing executable JavaScript code. When a user clicks on such a bookmark within the dashboard, the malicious script executes in the context of the user's browser session. The vulnerability requires no authentication but does require user interaction (clicking the malicious bookmark). The CVSS 3.1 base score is 5.4, reflecting medium severity with network attack vector, low attack complexity, no privileges required, user interaction required, and impacts limited confidentiality and integrity but no availability impact. The flaw could enable attackers to steal session cookies, perform actions on behalf of the user, or manipulate dashboard content, potentially leading to further compromise or data leakage. The issue is resolved in ThinkDashboard version 0.6.8 by implementing proper scheme filtering and input neutralization. No public exploits have been reported to date, but the vulnerability's presence in a self-hosted tool used by developers and organizations makes timely patching critical.

For European organizations using ThinkDashboard, this vulnerability poses a moderate risk primarily to confidentiality and integrity. Exploitation could allow attackers to hijack user sessions, steal sensitive information, or inject unauthorized content into the dashboard interface. Since ThinkDashboard is self-hosted, the impact depends on the deployment scale and user base within an organization. Organizations with multiple users accessing the dashboard are at higher risk. The vulnerability could facilitate lateral movement or data exfiltration if leveraged as part of a broader attack chain. Although no availability impact is expected, the compromise of user credentials or session tokens could lead to further security incidents. Given the medium severity and requirement for user interaction, the threat is significant but not critical. European companies relying on ThinkDashboard for internal productivity or knowledge management should consider this vulnerability a priority for remediation to prevent potential exploitation and maintain operational security.

The primary mitigation is to upgrade ThinkDashboard to version 0.6.8 or later, where the vulnerability is fixed by proper scheme filtering and input sanitization. Organizations should audit their current deployments to identify affected versions and apply updates promptly. Additionally, implement strict input validation and output encoding on all user-supplied data, especially URLs and bookmarks, to prevent injection of malicious scripts. Employ Content Security Policy (CSP) headers to restrict script execution sources and reduce XSS impact. Educate users about the risks of clicking untrusted bookmarks within the dashboard. Regularly review and monitor logs for suspicious bookmark creation or access patterns. For environments where immediate upgrade is not feasible, consider disabling bookmark creation or restricting it to trusted users only. Incorporate automated security testing in the development lifecycle to detect similar vulnerabilities early. Finally, maintain an incident response plan to quickly address any exploitation attempts.