CVE-2026-53676 is a high-severity vulnerability in ThingsBoard that allows for arbitrary code execution within a sandboxed context by a user with tenant administrator privileges. The vulnerability is caused by a prototype pollution issue. This issue can lead to significant operational impact, especially in environments where tenant administrator privileges are widespread. Users should review their exposur [truncated]
CVE-2026-36537 is an authentication bypass vulnerability in ThingsBoard v4.3.0.1. The vulnerability occurs during the OAuth authorization code exchange, where the application improperly trusts user-supplied identity data within the user parameter of the /login/oauth2/code/ endpoint. By manipulating the email address in this JSON object, a remote attacker can bypass authentication and gain full access to a [truncated]
A code injection vulnerability exists in ThingsBoard versions up to 4.3.1.1, specifically within the `getGatewayDockerComposeFile` function accessible via the `/api/v1/provision` endpoint. The vulnerability stems from improper handling of YAML input, allowing an attacker to inject and execute arbitrary code. The attack vector is network-based but requires high complexity and user interaction, resulting in [truncated]