Homarr Dashboard Vulnerable to DOM-Based XSS
A DOM-based Cross-Site Scripting (XSS) vulnerability has been identified in the Homarr open-source dashboard, according to CVE Notify. The flaw, present in versions prior to 1.57.0, resides within the application’s /auth/login page. CVE Notify explains that Homarr fails to properly sanitize the callbackUrl URL parameter. This parameter is used for redirects and router pushes, making it a prime target for attackers.
An attacker could exploit this by crafting a malicious link. When an authenticated user clicks this link, it could trigger a client-side redirect, executing arbitrary JavaScript within the user’s browser session. CVE Notify highlights that such an attack could pave the way for credential theft, facilitate internal network pivoting, or enable unauthorized actions to be performed under the guise of the compromised user.
Fortunately, this vulnerability has been addressed in Homarr version 1.57.0. Users are strongly advised to update to this latest version to patch the security hole.
What This Means For You
- Given this DOM-based XSS in Homarr's login flow, security teams should prioritize patching all instances of Homarr to version 1.57.0 or later and review any user-reported suspicious redirects originating from the login page.
Related ATT&CK Techniques
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-33510 | XSS | Homarr version prior to 1.57.0, DOM-based XSS vulnerability in /auth/login page, vulnerable parameter: callbackUrl |
| CVE-2026-33510 | Information Disclosure | Homarr version prior to 1.57.0, DOM-based XSS vulnerability in /auth/login page, potential impact: credential theft, internal network pivoting, unauthorized actions |