CVE-2026-33510
DOM-Based XSS in Homarr /auth/login Enables Credential Theft
Publication date: 2026-04-06
Last updated on: 2026-04-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| homarr | homarr | to 1.57.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-87 | The product does not neutralize or incorrectly neutralizes user-controlled input for alternate script syntax. |
| CWE-601 | The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33510 is a DOM-based Cross-Site Scripting (XSS) vulnerability in the open-source dashboard Homarr, affecting versions prior to 1.57.0.
The vulnerability exists on the /auth/login page where the application improperly trusts a URL parameter called callbackUrl. This parameter is used directly in client-side redirection functions such as redirect and router.push without proper validation or sanitization.
An attacker can craft a malicious URL containing JavaScript code in the callbackUrl parameter. When an authenticated user opens this URL, the malicious JavaScript executes in their browser context immediately. If the user is unauthenticated, the script executes after they log in.
This allows the attacker to perform actions like stealing credentials, executing unauthorized actions on behalf of the victim, and potentially pivoting within internal networks.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including:
- Execution of arbitrary JavaScript in the victimβs browser.
- Credential theft through fake login prompts or other malicious scripts.
- Unauthorized actions performed using the victimβs session, such as API calls.
- Internal network pivoting by using the victimβs browser as a foothold to attack other systems.
The attack requires low complexity, no privileges, and only user interaction by clicking a malicious link.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying if your Homarr instance is running a version prior to 1.57.0 and if the /auth/login page improperly handles the callbackUrl parameter.
To detect potential exploitation attempts on your network or system, you can monitor HTTP requests to the /auth/login endpoint for suspicious callbackUrl parameters that include JavaScript schemes or other unusual payloads.
- Use network monitoring tools or web server logs to search for requests containing callbackUrl parameters starting with "javascript:" or other suspicious schemes.
- Example command to search web server logs (assuming Apache logs) for suspicious callbackUrl usage: grep -i 'callbackUrl=javascript:' /var/log/apache2/access.log
- Use tools like curl or wget to test the /auth/login endpoint with crafted URLs to verify if the redirect is vulnerable, for example: curl -I 'http://HOST:7575/auth/login?callbackUrl=javascript:alert(1)'
Additionally, review the Homarr version running on your system to confirm if it is older than 1.57.0, which is the fixed version.
What immediate steps should I take to mitigate this vulnerability?
The primary immediate mitigation is to upgrade Homarr to version 1.57.0 or later, where this vulnerability is fixed.
If upgrading immediately is not possible, implement validation and sanitization of the callbackUrl parameter to prevent execution of malicious JavaScript.
- Restrict callbackUrl to only allow absolute paths starting with a single slash "/" and disallow double slashes "//" to prevent open redirects.
- Validate that callbackUrl URLs are within the same origin and use safe protocols (http or https), blocking dangerous schemes like javascript:, data:, and vbscript:.
Example validation code to restrict callbackUrl usage: if (callbackUrl && callbackUrl.startsWith("/") && !callbackUrl.startsWith("//")) { redirectPath = callbackUrl; } else { redirectPath = "/"; }
Or use a more comprehensive validation function that parses the URL and checks origin and protocol before redirecting.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows execution of arbitrary JavaScript in the context of an authenticated user's browser, which can lead to credential theft and unauthorized actions performed on behalf of the victim.
Such unauthorized access and potential data breaches could impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and disclosure.
Exploitation of this vulnerability could result in exposure of personal data or credentials, thereby increasing the risk of non-compliance with these regulations.