CVE-2026-33510HIGH 8.8EPSS p14.0%

CVE-2026-33510CVE-2026-33510

Description

Homarr is an open-source dashboard. Prior to 1.57.0, a DOM-based Cross-Site Scripting (XSS) vulnerability has been discovered in Homarr's /auth/login page. The application improperly trusts a URL parameter (callbackUrl), which is passed to redirect and router.push. An attacker can craft a malicious link that, when opened by an authenticated user, performs a client-side redirect and executes arbitrary JavaScript in the context of their browser. This could lead to credential theft, internal network pivoting, and unauthorized actions performed on behalf of the victim. This vulnerability is fixed in 1.57.0.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L
EPSS0.23% probability of exploitation · percentile 14.0% · 2026-06-19T12:03:05Z
Published2026-04-06
Last modified2026-04-09

Underlying weaknesses· 2

CWE-87CWE-601

References

  1. https://github.com/homarr-labs/homarr/security/advisories/GHSA-79pg-554g-rw82
  2. https://github.com/homarr-labs/homarr/security/advisories/GHSA-79pg-554g-rw82

2

TypeTargetConfidenceTier
WeaknessURL Redirection to Untrusted Site ('Open Redirect')cwe-6010%live
WeaknessImproper Neutralization of Alternate XSS Syntaxcwe-870%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-67493
CVE
CVE-2026-39344
CVE
CVE-2026-34931
CVE
CVE-2025-59832
CVE
CVE-2026-34932
CVE
CVE-2026-33506
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.