Skip to main content

Homarr CVE-2026-33510

| EUVDEUVD-2026-19287 HIGH
Improper Neutralization of Alternate XSS Syntax (CWE-87)
2026-04-06 security-advisories@github.com
8.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
Low

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:06 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
1.57.0
EUVD ID Assigned
Apr 06, 2026 - 15:22 euvd
EUVD-2026-19287
Analysis Generated
Apr 06, 2026 - 15:22 vuln.today
CVE Published
Apr 06, 2026 - 15:17 nvd
HIGH 8.8

DescriptionGitHub Advisory

Homarr is an open-source dashboard. Prior to 1.57.0, a DOM-based Cross-Site Scripting (XSS) vulnerability has been discovered in Homarr's /auth/login page. The application improperly trusts a URL parameter (callbackUrl), which is passed to redirect and router.push. An attacker can craft a malicious link that, when opened by an authenticated user, performs a client-side redirect and executes arbitrary JavaScript in the context of their browser. This could lead to credential theft, internal network pivoting, and unauthorized actions performed on behalf of the victim. This vulnerability is fixed in 1.57.0.

AnalysisAI

DOM-based Cross-Site Scripting in Homarr dashboard versions prior to 1.57.0 allows unauthenticated remote attackers to execute arbitrary JavaScript in victims' browsers via malicious callbackUrl parameters on the /auth/login page. Despite the high CVSS score of 8.8, no public exploit code or active exploitation has been identified at time of analysis. The vulnerability enables credential theft and unauthorized actions when authenticated users click crafted links, with scope change indicating potential cross-domain impact.

Technical ContextAI

Homarr is an open-source customizable dashboard platform. This vulnerability stems from CWE-87 (Improper Neutralization of Alternate XSS Syntax), manifesting as a DOM-based XSS flaw where the application's authentication login page unsafely handles the callbackUrl parameter. The parameter value flows directly into client-side redirect functions (redirect and router.push) without proper sanitization or validation. Unlike reflected XSS, DOM-based XSS executes entirely in the browser's Document Object Model, allowing attackers to inject javascript: protocol handlers or data: URIs that execute in the victim's security context. The changed scope (S:C) in the CVSS vector indicates the vulnerability can affect resources beyond the vulnerable component's authorization scope, likely due to improper origin validation in the redirect mechanism enabling cross-domain attacks.

RemediationAI

Upgrade Homarr to version 1.57.0 or later, which contains fixes for the improper callbackUrl parameter handling. The patched version implements proper input validation and sanitization for redirect parameters to prevent JavaScript injection through the authentication page. Organizations should update immediately if Homarr is exposed to untrusted networks or users. Until patching is complete, consider implementing web application firewall rules to block suspicious callbackUrl patterns containing javascript:, data:, or vbscript: protocol handlers, though this is only a temporary mitigation. No workarounds are documented in the vendor advisory. Complete remediation details and upgrade instructions are available in the GitHub Security Advisory at https://github.com/homarr-labs/homarr/security/advisories/GHSA-79pg-554g-rw82.

Share

CVE-2026-33510 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy