What is the CVSS score of CVE-2026-33510?

CVE-2026-33510 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L. EPSS exploitation probability: 0.0%.

Which versions of Homarr are affected by CVE-2026-33510?

Homarr dashboard versions before 1.57.0 contain a DOM-based XSS vulnerability in the login page that allows unauthenticated attackers to inject malicious code targeting your users.. A patch is available.

How to fix or mitigate CVE-2026-33510?

Within 24 hours: Inventory all Homarr instances and confirm current versions. Within 7 days: Upgrade all Homarr deployments to version 1.57.0 or later. Within 30 days: Conduct security awareness training on malicious link risks and implement web application firewall rules to block suspicious callbackUrl parameters on the /auth/login endpoint.

Homarr CVE-2026-33510

EUVD-2026-19287 HIGH

Improper Neutralization of Alternate XSS Syntax (CWE-87)

2026-04-06 security-advisories@github.com

XSS

8.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

Low

Availability

Low

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 06:06 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

1.57.0

EUVD ID Assigned

Apr 06, 2026 - 15:22 euvd

EUVD-2026-19287

Analysis Generated

Apr 06, 2026 - 15:22 vuln.today

CVE Published

Apr 06, 2026 - 15:17 nvd

HIGH 8.8

DescriptionNVD

Homarr is an open-source dashboard. Prior to 1.57.0, a DOM-based Cross-Site Scripting (XSS) vulnerability has been discovered in Homarr's /auth/login page. The application improperly trusts a URL parameter (callbackUrl), which is passed to redirect and router.push. An attacker can craft a malicious link that, when opened by an authenticated user, performs a client-side redirect and executes arbitrary JavaScript in the context of their browser. This could lead to credential theft, internal network pivoting, and unauthorized actions performed on behalf of the victim. This vulnerability is fixed in 1.57.0.

AnalysisAI

DOM-based Cross-Site Scripting in Homarr dashboard versions prior to 1.57.0 allows unauthenticated remote attackers to execute arbitrary JavaScript in victims' browsers via malicious callbackUrl parameters on the /auth/login page. Despite the high CVSS score of 8.8, no public exploit code or active exploitation has been identified at time of analysis. …

RemediationAI

Within 24 hours: Inventory all Homarr instances and confirm current versions. Within 7 days: Upgrade all Homarr deployments to version 1.57.0 or later. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-33510 vulnerability details – vuln.today

Back