Home

Description

ThinkDashboard is a self-hosted bookmark dashboard built with Go and vanilla JavaScript. Versions 0.6.7 and below contain a Blind Server-Side Request Forgery (SSRF) vulnerability, in its `/api/ping?url= endpoint`. This allows an attacker to make arbitrary requests to internal or external hosts. This can include discovering ports open on the local machine, hosts on the local network, and ports open on the hosts on the internal network. This issue is fixed in version 0.6.8.

PUBLISHED Reserved 2025-10-30 | Published 2025-11-06 | Updated 2025-11-06 | Assigner GitHub_M




MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Problem types

CWE-918: Server-Side Request Forgery (SSRF)

Product status

< 0.6.8
affected

References

github.com/...hboard/security/advisories/GHSA-p52r-qq3j-8p78 exploit

github.com/...hboard/security/advisories/GHSA-p52r-qq3j-8p78

github.com/...ommit/16976263b22a4b0526b2c7c30294cc099258edae

github.com/MatiasDesuu/ThinkDashboard/releases/tag/0.6.8

cve.org (CVE-2025-64327)

nvd.nist.gov (CVE-2025-64327)

Download JSON