LOW
ThingsBoard
CVE published 2026-05-26
CVE-2026-9568
A code injection vulnerability exists in ThingsBoard versions up to 4.3.1.1, specifically within the `getGatewayDockerComposeFile` function accessible via the `/api/v1/provision` endpoint. The vulnerability stems from improper handling of YAML input, allowing an attacker to inject and execute arbitrary code. The attack vector is network-based but requires high complexity and user interaction, resulting in [truncated]