Homarr Dashboard XSS (CVE-2026-33510)

Overview

A high-severity DOM-based Cross-Site Scripting (XSS) vulnerability, tracked as CVE-2026-33510, affects the Homarr open-source dashboard. Versions before 1.57.0 contain a flaw in the /auth/login page where the application unsafely uses a user-controlled URL parameter named callbackUrl. This allows an attacker to inject malicious scripts.

Vulnerability Details

The vulnerability exists because the application trusts the callbackUrl parameter without proper validation or sanitization. This parameter is passed directly to client-side navigation functions (redirect and router.push). An attacker can craft a malicious link containing JavaScript payloads within this parameter. When an authenticated Homarr user clicks this link, their browser executes the attacker’s code in the context of the Homarr dashboard session.

Impact and Risks

Successful exploitation requires the victim to be authenticated and to click a malicious link. If exploited, this vulnerability can have severe consequences:

• Credential Theft: Attackers can steal session cookies or authentication tokens, leading to full account compromise.
• Unauthorized Actions: The injected script can perform any action the victim is authorized to do, such as modifying dashboard widgets, changing settings, or accessing integrated services.
• Pivoting: By leveraging the victim’s authenticated session, attackers could potentially probe and attack other internal systems accessible from the dashboard.

Remediation and Mitigation

The primary and definitive solution is to upgrade Homarr to version 1.57.0 or later, which contains the fix for this vulnerability.

Immediate Actions:

1. Update Immediately: All instances of Homarr should be upgraded to version 1.57.0 without delay.
2. User Awareness: Advise users to exercise caution with unsolicited links, even those that appear to lead to internal applications. This is a common social engineering vector for XSS attacks.
3. Temporary Mitigation: If immediate upgrading is not possible, consider implementing a web application firewall (WAF) rule to block requests containing suspicious JavaScript patterns in the callbackUrl parameter. This is not a substitute for patching.

For more on the tactics behind such attacks, recent cybersecurity news is available at security news.

Security Insight

This DOM-based XSS flaw highlights the persistent risk of client-side input validation failures in modern web applications, especially those using dynamic routing frameworks. It mirrors a common pattern seen in many single-page applications (SPAs) where URL parameters are directly consumed by client-side routers without adequate sanitization. The case underscores that even simple, self-hosted dashboards require rigorous security reviews, as they often serve as aggregation points for multiple services and credentials.

Further Reading

• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs