Platform
javascript
Component
homarr
Fixed in
1.57.1
A DOM-based Cross-Site Scripting (XSS) vulnerability has been identified in Homarr, an open-source dashboard. This flaw, present in versions 0.0.0 up to 1.57.0, resides within the /auth/login page. An attacker can leverage a malicious link to execute arbitrary JavaScript within a user's browser, potentially compromising their account and system security. The vulnerability is resolved in version 1.57.0.
The XSS vulnerability in Homarr's /auth/login page allows an attacker to inject malicious JavaScript code into the application. This code executes within the context of the authenticated user's browser. A successful exploit can lead to several severe consequences, including credential theft, as the attacker can capture login credentials or other sensitive information entered by the user. Furthermore, the attacker could potentially perform internal network pivoting, gaining access to other systems within the user's network. The blast radius extends to any data accessible by the compromised user account, making this a significant security risk.
This vulnerability was publicly disclosed on 2026-04-06. Currently, there are no known active campaigns targeting this specific vulnerability. No public proof-of-concept (POC) code has been released, but the nature of DOM-based XSS suggests that a POC could be developed relatively easily. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.05% (15% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-33510 is to upgrade Homarr to version 1.57.0 or later, which contains the fix for this vulnerability. If an immediate upgrade is not feasible, consider implementing a Web Application Firewall (WAF) rule to filter out malicious URLs containing the vulnerable callbackUrl parameter. Carefully review and sanitize any user-supplied input used in redirects or routing functions. After upgrading, verify the fix by attempting to access the /auth/login page with a crafted URL containing a JavaScript payload; the payload should be blocked or neutralized.
Update to version 1.57.0 or later to mitigate the XSS vulnerability. This update corrects how the application handles the redirect URL, preventing the execution of malicious JavaScript code.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33510 is a DOM-based Cross-Site Scripting (XSS) vulnerability affecting Homarr versions 0.0.0 through 1.57.0, allowing attackers to execute JavaScript code in a user's browser.
You are affected if you are using Homarr versions 0.0.0 to 1.57.0. Upgrade to version 1.57.0 or later to mitigate the risk.
Upgrade Homarr to version 1.57.0 or later. As a temporary workaround, implement a WAF rule to filter malicious URLs.
There are currently no confirmed reports of active exploitation, but the vulnerability's nature makes it a potential target.
Refer to the official Homarr project's release notes and security advisories for details on this vulnerability and the fix.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.