Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L
Lifecycle Timeline
6DescriptionGitHub Advisory
Homarr is an open-source dashboard. Prior to 1.57.0, a DOM-based Cross-Site Scripting (XSS) vulnerability has been discovered in Homarr's /auth/login page. The application improperly trusts a URL parameter (callbackUrl), which is passed to redirect and router.push. An attacker can craft a malicious link that, when opened by an authenticated user, performs a client-side redirect and executes arbitrary JavaScript in the context of their browser. This could lead to credential theft, internal network pivoting, and unauthorized actions performed on behalf of the victim. This vulnerability is fixed in 1.57.0.
AnalysisAI
DOM-based Cross-Site Scripting in Homarr dashboard versions prior to 1.57.0 allows unauthenticated remote attackers to execute arbitrary JavaScript in victims' browsers via malicious callbackUrl parameters on the /auth/login page. Despite the high CVSS score of 8.8, no public exploit code or active exploitation has been identified at time of analysis. The vulnerability enables credential theft and unauthorized actions when authenticated users click crafted links, with scope change indicating potential cross-domain impact.
Technical ContextAI
Homarr is an open-source customizable dashboard platform. This vulnerability stems from CWE-87 (Improper Neutralization of Alternate XSS Syntax), manifesting as a DOM-based XSS flaw where the application's authentication login page unsafely handles the callbackUrl parameter. The parameter value flows directly into client-side redirect functions (redirect and router.push) without proper sanitization or validation. Unlike reflected XSS, DOM-based XSS executes entirely in the browser's Document Object Model, allowing attackers to inject javascript: protocol handlers or data: URIs that execute in the victim's security context. The changed scope (S:C) in the CVSS vector indicates the vulnerability can affect resources beyond the vulnerable component's authorization scope, likely due to improper origin validation in the redirect mechanism enabling cross-domain attacks.
RemediationAI
Upgrade Homarr to version 1.57.0 or later, which contains fixes for the improper callbackUrl parameter handling. The patched version implements proper input validation and sanitization for redirect parameters to prevent JavaScript injection through the authentication page. Organizations should update immediately if Homarr is exposed to untrusted networks or users. Until patching is complete, consider implementing web application firewall rules to block suspicious callbackUrl patterns containing javascript:, data:, or vbscript: protocol handlers, though this is only a temporary mitigation. No workarounds are documented in the vendor advisory. Complete remediation details and upgrade instructions are available in the GitHub Security Advisory at https://github.com/homarr-labs/homarr/security/advisories/GHSA-79pg-554g-rw82.
Unauthenticated Server-Side Request Forgery in Homarr versions before 1.54.0 enables remote attackers to initiate arbitr
Unauthenticated attackers can query the integration.all endpoint in Homarr prior to version 1.54.0 to enumerate all conf
Homarr versions prior to 1.52.0 contain an unauthenticated SSRF vulnerability in the widget.app.ping endpoint that accep
Homarr prior to version 1.57.0 contains a race condition in the user registration endpoint that allows authenticated att
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19287