DOM-Based XSS in Homarr /auth/login Redirect_CVE-2026-33510

8.8 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L

Description

Homarr is an open-source dashboard. Prior to 1.57.0, a DOM-based Cross-Site Scripting (XSS) vulnerability has been discovered in Homarr's /auth/login page. The application improperly trusts a URL parameter (callbackUrl), which is passed to redirect and router.push. An attacker can craft a malicious link that, when opened by an authenticated user, performs a client-side redirect and executes arbitrary JavaScript in the context of their browser. This could lead to credential theft, internal network pivoting, and unauthorized actions performed on behalf of the victim. This vulnerability is fixed in 1.57.0.

Basic Information

ID CVE-2026-33510

Source GitHub_M

Published Apr 6, 2026 at 14:51

Modified Apr 6, 2026 at 15:41

Affected Product

Vendor homarr-labs

Product homarr

Version < 1.57.0

Affected Versions homarr-labs homarr < 1.57.0

CWE Classification

CWE-87 CWE-601

References

github.com /homarr-labs/homarr/security/advisories/GHSA-79pg-554g-rw82

{
    "lastseen": "",
    "description": "Homarr is an open-source dashboard. Prior to 1.57.0, a DOM-based Cross-Site Scripting (XSS) vulnerability has been discovered in Homarr's /auth/login page. The application improperly trusts a URL parameter (callbackUrl), which is passed to redirect and router.push. An attacker can craft a malicious link that, when opened by an authenticated user, performs a client-side redirect and executes arbitrary JavaScript in the context of their browser. This could lead to credential theft, internal network pivoting, and unauthorized actions performed on behalf of the victim. This vulnerability is fixed in 1.57.0.",
    "published": "2026-04-06T14:51:38.960Z",
    "modified": "2026-04-06T15:41:01.491Z",
    "type": "cve",
    "title": "DOM-Based XSS in Homarr /auth/login Redirect",
    "source": "GitHub_M",
    "references": "https://github.com/homarr-labs/homarr/security/advisories/GHSA-79pg-554g-rw82",
    "id": "CVE-2026-33510",
    "bulletinFamily": "",
    "cwe": [
        "CWE-87",
        "CWE-601"
    ],
    "cvelist": null,
    "sourceData": "homarr-labs homarr < 1.57.0",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "homarr",
    "version": "< 1.57.0",
    "vendor": "homarr-labs",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}