DOM-based XSS Vulnerability in Homarr Open-Source Dashboard
CVE-2026-33510

8.8HIGH

Key Information:

Vendor: Homarr-labs
Status: Homarr
Vendor: CVE Published:; 6 April 2026

🔔 Create Homarr-labs Vulnerability Alert

What is CVE-2026-33510?

A vulnerability has been identified in the Homarr Open-Source Dashboard that allows for DOM-based Cross-Site Scripting (XSS) via the '/auth/login' page. The flaw stems from the application's improper handling of the 'callbackUrl' URL parameter, allowing attackers to craft malicious links. When these links are accessed by authenticated users, they can trigger client-side redirects and execute arbitrary JavaScript within the victim's browser. This vulnerability poses significant risks, including potential credential theft, unauthorized actions, and network exploitation. The issue has been addressed in version 1.57.0.

Affected Version(s)

homarr < 1.57.0

References

https://github.com/homarr-labs/homarr/security/advisories...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 6, 2026
Vulnerability Reserved
Mar 20, 2026

CVE-2026-33510 Data

JSON