thingsboard

Direct Vulnerabilities

Known vulnerabilities in the thingsboard package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
L Race Condition	<4.3.1.1-r2
L GHSA-5qcv-4rpc-jp93	<4.3.1.1-r2
L GHSA-h468-7pvh-8vr8	<4.3.1.1-r2
L CVE-2026-29146	<4.3.1.1-r2
L GHSA-mf92-479x-3373	<4.3.1.1-r0
L CVE-2026-22732	<4.3.1.1-r0
L CVE-2026-22735	<4.3.1.1-r0
L CVE-2026-22737	<4.3.1.1-r0
L GHSA-j3q9-mxjg-w52f	<4.3.1.1-r0
L GHSA-4773-3jfm-qmx3	<4.3.1.1-r0
L CVE-2026-4923	<4.3.1.1-r0
L GHSA-27v5-c462-wpq7	<4.3.1.1-r0
L CVE-2026-4926	<4.3.1.1-r0
L GHSA-6hcq-hmm3-jj3c	<4.3.1.1-r0
H Allocation of Resources Without Limits or Throttling	<4.3.1-r5
L GHSA-w9fj-cfpg-grvv	<4.3.1-r5
L HTTP Request Smuggling	<4.3.1-r4
L GHSA-pwqr-wmgm-9rr8	<4.3.1-r4
L GHSA-crhr-qqj8-rpxc	<4.3.1-r1
H Information Exposure Through Log Files	<4.3.1-r1
L GHSA-8v5q-rhf3-jphm	<4.2-r6
L GHSA-3p8m-j85q-pgmj	<4.2-r3
L GHSA-mh29-5h37-fv8m	<4.2.1-r8
L GHSA-h3gc-qfqq-6h8f	<4.0.1-r8
L CVE-2025-41242	<4.1-r7
L Authentication Bypass	<4.0.1-r51
L Allocation of Resources Without Limits or Throttling	<4.0.1-r8
L GHSA-fghv-69vj-qj49	<4.2-r4
L GHSA-4gc7-5j7h-4qph	<3.8.1-r1
L CVE-2024-12801	<3.9-r0
L GHSA-gvpg-vgmx-xg6w	<3.7-r2
L CVE-2025-27817	<4.0.1-r6
L GHSA-w33c-445m-f8w7	<3.7-r2
L GHSA-pr98-23f8-jwxv	<3.9-r0
L Resource Exhaustion	<4.2.1-r7
L CRLF Injection	<4.2.1-r9
L Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')	<4.2.1-r8
L Improper Handling of Insufficient Permissions or Privileges	<4.2-r7
L GHSA-jq43-27x9-3v86	<4.2.1-r1
L Improperly Controlled Modification of Dynamically-Determined Object Attributes	<4.2.1-r8
L Authentication Bypass	<4.0.1-r8
L GHSA-prj3-ccx8-p6x4	<4.1-r6
L CVE-2025-24970	<3.9.1-r1
L GHSA-4g8c-wm8x-jfhw	<3.9.1-r1
H Uncontrolled Recursion	<3.7-r4
L GHSA-76c9-3jph-rj3q	<4.1-r5
L Time-of-check Time-of-use (TOCTOU)	<3.9-r1
L GHSA-q3v6-hm2v-pw99	<3.8.1-r4
L GHSA-fg2v-w576-w4v3	<3.7-r4
L CVE-2020-36843	<3.9.1-r2
H Incomplete Cleanup	<4.0.1-r1
L CVE-2025-41234	<4.0.1-r7
L CVE-2024-38816	<3.8.1-r2
L GHSA-3p2h-wqq4-wf4h	<4.0.1-r1
M Cross-site Scripting (XSS)	<3.7-r4
L GHSA-mfj5-cf8g-g2fv	<3.9-r1
L GHSA-6rw7-vpxm-498p	<4.2.1.1-r0
L GHSA-6v67-2wr5-gvf4	<3.9-r0
C Improper Certificate Validation	<4.3.1-r2
L GHSA-25qh-j22f-pwp8	<4.2.1-r5
L GHSA-jmp9-x22r-554x	<4.2-r6
L GHSA-pj86-cfqh-vqx6	<4.2.1-r8
L CRLF Injection	<4.2.1-r1
L CVE-2026-24733	<4.3.1-r2
L GHSA-r936-gwx5-v52f	<4.1-r7
L GHSA-72hv-8253-57qq	<4.3.0.1-r3
L GHSA-hgrr-935x-pq79	<4.2.1-r7
L GHSA-j288-q9x7-2f5v	<4.1-r1
L Uncontrolled Recursion	<4.1-r1
L GHSA-pxg6-pf52-xh8x	<3.9.1-r2
L GHSA-wm9w-rjj3-j356	<4.2.1-r7
L GHSA-wc4r-xq3c-5cf3	<4.0.1-r8
L Improper Handling of Case Sensitivity	<4.0.1-r4
L GHSA-p53j-g8pw-4w5f	<3.9.1-r2
L GHSA-w7fw-mjwx-w883	<4.3.0.1-r1
L GHSA-vrpq-qp53-qv56	<4.0.1-r2
L CVE-2025-41248	<4.2-r6
L GHSA-4cx2-fc23-5wg6	<4.2.1-r2
M XML External Entity (XXE) Injection	<4.0.1-r2
L GHSA-7fch-4f2f-jcgm	<4.2.1-r3
L Inefficient Regular Expression Complexity	<3.8.1-r4
H Allocation of Resources Without Limits or Throttling	<4.1-r6
L GHSA-cx7f-g6mp-7hqm	<3.8.1-r2
L CVE-2025-22228	<3.9.1-r2
L GHSA-84h7-rjj3-6jx4	<4.2.1-r9
L GHSA-83qj-6fr2-vhqg	<3.9.1-r2
L GHSA-ff77-26x5-69cr	<4.0.1-r1
L Improper Privilege Management	<3.8.1-r4
L Improper Authentication	<3.9-r1
L GHSA-9wv6-86v2-598j	<3.7-r2
L Inefficient Regular Expression Complexity	<3.7-r2
L GHSA-c4q5-6c82-3qpw	<3.8.1-r2
L GHSA-2qp4-g3q3-f92w	<3.7-r1
L Time-of-check Time-of-use (TOCTOU)	<3.9-r1
L CVE-2025-22227	<4.1-r2
L GHSA-2hmj-97jw-28jh	<4.2-r7
H HTTP Request Smuggling	<4.2-r4
H Improper Handling of Highly Compressed Data (Data Amplification)	<4.2-r3
L CVE-2025-22233	<4.0.1-r5
L CVE-2024-38809	<3.9.1-r2
L GHSA-h2fw-rfh5-95r3	<4.0.1-r4
L GHSA-mg83-c7gq-rv5c	<3.9.1-r2
H Out-of-bounds Write	<3.9.1-r2
C Deserialization of Untrusted Data	<3.9.1-r2
L CVE-2025-8916	<4.2.1-r2
L CVE-2025-41254	<4.2.1-r3
H Out-of-bounds Write	<3.7-r4
L GHSA-m6fv-jmcg-4jfg	<3.7-r4
L CVE-2024-38821	<3.8.1-r2
L GHSA-5j33-cvvr-w245	<3.9-r1
M Incorrect Default Permissions	<3.7-r1
L GHSA-27hp-xhwr-wr2m	<3.9-r1
M Inclusion of Functionality from Untrusted Control Sphere	<3.7-r1
M CVE-2024-38820	<3.8.1-r1
L CVE-2025-41249	<4.2-r6
L GHSA-qq5r-98hh-rxc9	<4.3.1-r2
L CVE-2025-11226	<4.2.1-r5
L Improper Resource Shutdown or Release	<4.2.1-r7
L GHSA-4q2v-9p7v-3v22	<4.1-r2
L CVE-2025-7339	<4.1-r5
L GHSA-6r3c-xf4w-jxjm	<4.0.1-r7
L GHSA-g93m-8x6h-g5gv	<4.0.1-r51
C Improper Encoding or Escaping of Output	<4.0.1-r1
L GHSA-4wp7-92pw-q264	<4.0.1-r5
H CVE-2026-2391	<4.3.0.1-r1
L GHSA-fpj8-gq4v-p354	<4.3.1-r2
L GHSA-735f-pc8j-v9w8	<3.9.1-r2
L CVE-2024-38827	<3.8.1-r4
L GHSA-rhx6-c78j-4q9w	<3.8.1-r4
L CVE-2025-15284	<4.2.1.1-r0
L CVE-2024-12798	<3.9-r0
L GHSA-493p-pfq6-5258	<3.7-r4
L GHSA-vgq5-3255-v292	<4.0.1-r6
L GHSA-2x2g-32r7-p4x8	<3.8.1-r4
L CVE-2024-47764	<3.9.1-r2
H Incorrect Conversion between Numeric Types	<3.7-r2
H CVE-2023-52428	<3.7-r2
L GHSA-cqj8-47ch-rvvq	<3.7-r1
L GHSA-2rmj-mq67-h97g	<3.9.1-r2

Vulnerability

Vulnerable Version

Race Condition

<4.3.1.1-r2