CVE-2025-64759 is a stored cross-site scripting (XSS) vulnerability identified in the open-source dashboard application Homarr, affecting all versions prior to 1.43.3. The root cause is improper input validation (CWE-20) and inadequate handling of file uploads (CWE-434), specifically maliciously crafted SVG files. When an attacker uploads a specially crafted SVG containing embedded JavaScript, the Homarr dashboard renders this file without sufficient sanitization, allowing the script to execute in the context of any user viewing the page. The vulnerability is particularly dangerous because it can be exploited to escalate privileges: the attacker’s account can be added to the “credentials-admin” group if an administrator views the malicious content. This group membership grants full administrative control over the dashboard, potentially compromising all managed credentials and configurations. Exploitation requires the attacker to have an account on the system but minimal user interaction is needed beyond an administrator viewing the malicious SVG. The CVSS v3.1 score is 8.1, reflecting high impact on confidentiality and integrity, with network attack vector, low attack complexity, and requiring privileges and user interaction. The vulnerability was publicly disclosed on November 19, 2025, and patched in version 1.43.3. No known exploits have been observed in the wild yet, but the risk remains significant given the potential for privilege escalation and administrative takeover.

For European organizations using Homarr dashboards, this vulnerability poses a significant risk to the confidentiality and integrity of sensitive credential data and administrative controls. Successful exploitation could allow attackers to gain full administrative access, leading to unauthorized disclosure of credentials, manipulation of dashboard configurations, and potential pivoting to other internal systems. This could disrupt business operations, compromise user accounts, and lead to data breaches. Since Homarr is used for centralized credential management and dashboarding, the impact extends to any integrated services relying on it. The minimal user interaction required and network-based attack vector increase the likelihood of exploitation in environments where multiple users have access to the dashboard, especially if administrators frequently view user-uploaded content. The absence of known exploits in the wild provides a window for proactive patching, but organizations should treat this as a critical risk due to the high potential impact.

1. Immediately upgrade all Homarr instances to version 1.43.3 or later, where the vulnerability is patched. 2. Implement strict input validation and sanitization on all uploaded files, especially SVGs, to prevent embedded scripts from executing. 3. Restrict file upload permissions to trusted users only and consider disabling SVG uploads if not essential. 4. Enforce the principle of least privilege by limiting administrative access and regularly auditing group memberships, particularly the credentials-admin group. 5. Monitor dashboard logs for unusual account privilege changes or suspicious file uploads. 6. Educate administrators to be cautious when viewing user-generated content and to report anomalies promptly. 7. Consider deploying Content Security Policy (CSP) headers to mitigate the impact of potential XSS attacks. 8. Conduct regular security assessments and penetration testing focused on input validation and privilege escalation vectors within Homarr deployments.