CVE-2024-55466

MEDIUM

ThingsBoard < 3.8.1 - Arbitrary File Upload and Remote Code Execution via Image Gallery

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-55466. PoCs published by cybsecsid.

AI-analyzed exploit summary This repository documents a stored XSS vulnerability in ThingsBoard IoT Platform (CVE-2024-55466), which can be exploited for privilege escalation via authentication token theft. The writeup includes steps to reproduce the vulnerability using a malicious SVG file upload.

Description

An arbitrary file upload vulnerability in the Image Gallery of ThingsBoard Community, ThingsBoard Cloud and ThingsBoard Professional v3.8.1 allows attackers to execute arbitrary code via uploading a crafted file.

Exploits (1)

nomisec WRITEUP
by cybsecsid · poc
https://github.com/cybsecsid/ThingsBoard-IoT-Platform-CVE-2024-55466

This repository documents a stored XSS vulnerability in ThingsBoard IoT Platform (CVE-2024-55466), which can be exploited for privilege escalation via authentication token theft. The writeup includes steps to reproduce the vulnerability using a malicious SVG file upload.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: ThingsBoard IoT Platform (Community, Professional, Cloud editions) versions 3.8.1 or earlier
Auth required
Prerequisites: Access to a low-privileged ThingsBoard account · Ability to upload files to the Image Gallery
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 6.5
EPSS 0.0031
EPSS Percentile 23.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-77
Status published
Products (1)
thingsboard/thingsboard < 3.8.1
Published May 12, 2025
Tracked Since Feb 18, 2026