CVE-2026-33510
Received Received - Intake
DOM-Based XSS in Homarr /auth/login Enables Credential Theft

Publication date: 2026-04-06

Last updated on: 2026-04-09

Assigner: GitHub, Inc.

Description
Homarr is an open-source dashboard. Prior to 1.57.0, a DOM-based Cross-Site Scripting (XSS) vulnerability has been discovered in Homarr's /auth/login page. The application improperly trusts a URL parameter (callbackUrl), which is passed to redirect and router.push. An attacker can craft a malicious link that, when opened by an authenticated user, performs a client-side redirect and executes arbitrary JavaScript in the context of their browser. This could lead to credential theft, internal network pivoting, and unauthorized actions performed on behalf of the victim. This vulnerability is fixed in 1.57.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-06
Last Modified
2026-04-09
Generated
2026-06-16
AI Q&A
2026-04-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33510
EUVD
EUVD-2026-19287
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
homarr homarr to 1.57.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-87 The product does not neutralize or incorrectly neutralizes user-controlled input for alternate script syntax.
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33510 is a DOM-based Cross-Site Scripting (XSS) vulnerability in the open-source dashboard Homarr, affecting versions prior to 1.57.0.

The vulnerability exists on the /auth/login page where the application improperly trusts a URL parameter called callbackUrl. This parameter is used directly in client-side redirection functions such as redirect and router.push without proper validation or sanitization.

An attacker can craft a malicious URL containing JavaScript code in the callbackUrl parameter. When an authenticated user opens this URL, the malicious JavaScript executes in their browser context immediately. If the user is unauthenticated, the script executes after they log in.

This allows the attacker to perform actions like stealing credentials, executing unauthorized actions on behalf of the victim, and potentially pivoting within internal networks.

Impact Analysis

This vulnerability can have serious impacts including:

  • Execution of arbitrary JavaScript in the victim’s browser.
  • Credential theft through fake login prompts or other malicious scripts.
  • Unauthorized actions performed using the victim’s session, such as API calls.
  • Internal network pivoting by using the victim’s browser as a foothold to attack other systems.

The attack requires low complexity, no privileges, and only user interaction by clicking a malicious link.

Detection Guidance

This vulnerability can be detected by identifying if your Homarr instance is running a version prior to 1.57.0 and if the /auth/login page improperly handles the callbackUrl parameter.

To detect potential exploitation attempts on your network or system, you can monitor HTTP requests to the /auth/login endpoint for suspicious callbackUrl parameters that include JavaScript schemes or other unusual payloads.

  • Use network monitoring tools or web server logs to search for requests containing callbackUrl parameters starting with "javascript:" or other suspicious schemes.
  • Example command to search web server logs (assuming Apache logs) for suspicious callbackUrl usage: grep -i 'callbackUrl=javascript:' /var/log/apache2/access.log
  • Use tools like curl or wget to test the /auth/login endpoint with crafted URLs to verify if the redirect is vulnerable, for example: curl -I 'http://HOST:7575/auth/login?callbackUrl=javascript:alert(1)'

Additionally, review the Homarr version running on your system to confirm if it is older than 1.57.0, which is the fixed version.

Mitigation Strategies

The primary immediate mitigation is to upgrade Homarr to version 1.57.0 or later, where this vulnerability is fixed.

If upgrading immediately is not possible, implement validation and sanitization of the callbackUrl parameter to prevent execution of malicious JavaScript.

  • Restrict callbackUrl to only allow absolute paths starting with a single slash "/" and disallow double slashes "//" to prevent open redirects.
  • Validate that callbackUrl URLs are within the same origin and use safe protocols (http or https), blocking dangerous schemes like javascript:, data:, and vbscript:.

Example validation code to restrict callbackUrl usage: if (callbackUrl && callbackUrl.startsWith("/") && !callbackUrl.startsWith("//")) { redirectPath = callbackUrl; } else { redirectPath = "/"; }

Or use a more comprehensive validation function that parses the URL and checks origin and protocol before redirecting.

Compliance Impact

The vulnerability allows execution of arbitrary JavaScript in the context of an authenticated user's browser, which can lead to credential theft and unauthorized actions performed on behalf of the victim.

Such unauthorized access and potential data breaches could impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and disclosure.

Exploitation of this vulnerability could result in exposure of personal data or credentials, thereby increasing the risk of non-compliance with these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33510. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart