CVE-2026-33510 Overview
A DOM-based Cross-Site Scripting (XSS) vulnerability has been discovered in Homarr, an open-source dashboard application. Prior to version 1.57.0, the application's /auth/login page improperly trusts a URL parameter (callbackUrl), which is passed to redirect and router.push functions. An attacker can craft a malicious link that, when opened by an authenticated user, performs a client-side redirect and executes arbitrary JavaScript in the context of their browser. This vulnerability could lead to credential theft, internal network pivoting, and unauthorized actions performed on behalf of the victim.
Critical Impact
Successful exploitation allows attackers to execute arbitrary JavaScript in the victim's browser, potentially stealing session tokens, capturing credentials, or performing actions on behalf of authenticated users within the Homarr dashboard.
Affected Products
- Homarr versions prior to 1.57.0
- Homarr open-source dashboard installations with /auth/login page exposed
Discovery Timeline
- 2026-04-06 - CVE CVE-2026-33510 published to NVD
- 2026-04-09 - Last updated in NVD database
Technical Details for CVE-2026-33510
Vulnerability Analysis
This DOM-based XSS vulnerability (CWE-87: Improper Neutralization of Alternate XSS Syntax) exists in the authentication flow of the Homarr dashboard. The core issue stems from insufficient validation of the callbackUrl parameter on the /auth/login page. When a user accesses the login page with a malicious callbackUrl parameter, the application processes this value through client-side redirect functions without proper sanitization.
The vulnerability is exploitable over the network and requires user interaction, specifically convincing an authenticated user to click a malicious link. Due to the changed scope of the vulnerability, successful exploitation can impact resources beyond the vulnerable component itself, potentially allowing attackers to pivot within internal networks where Homarr dashboards are commonly deployed.
Root Cause
The root cause lies in the improper handling of the callbackUrl URL parameter within the Homarr authentication mechanism. The application directly passes user-controlled input to client-side redirect functions (redirect and router.push) without adequate sanitization or validation. This allows attackers to inject JavaScript URLs or other malicious payloads that execute when the redirect occurs.
DOM-based XSS differs from traditional reflected or stored XSS in that the malicious payload never reaches the server—the vulnerability exists entirely in the client-side JavaScript that processes the URL parameter.
Attack Vector
The attack vector involves crafting a malicious URL that includes JavaScript code within the callbackUrl parameter. When an authenticated user clicks the malicious link:
- The user's browser loads the Homarr /auth/login page with the attacker-controlled callbackUrl
- The client-side JavaScript extracts the callbackUrl parameter value
- The application attempts to redirect using redirect or router.push with the malicious payload
- JavaScript execution occurs in the context of the victim's authenticated session
Attackers can leverage this vulnerability to steal session cookies, capture keystrokes, redirect users to phishing pages, or perform actions within the Homarr dashboard on behalf of the victim. Given that Homarr is commonly used to manage home server dashboards, successful exploitation could provide attackers with visibility into internal network infrastructure and connected services.
Detection Methods for CVE-2026-33510
Indicators of Compromise
- Unusual requests to /auth/login containing javascript: protocol in the callbackUrl parameter
- Requests with encoded or obfuscated JavaScript payloads in URL parameters
- Suspicious redirect chains originating from the Homarr login page
- External script loads or unexpected network requests initiated from Homarr pages
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block javascript: and data: protocols in URL parameters
- Monitor HTTP access logs for requests to /auth/login with suspicious callbackUrl values containing special characters or encoding
- Deploy Content Security Policy (CSP) headers to restrict inline script execution and report violations
- Configure SentinelOne Singularity to monitor for anomalous browser behavior and script injection attempts
Monitoring Recommendations
- Enable detailed logging for all authentication-related endpoints in Homarr
- Set up alerting for requests containing URL-encoded JavaScript patterns in query parameters
- Review CSP violation reports for attempts to execute inline scripts
- Monitor for unusual session activity following login page access
How to Mitigate CVE-2026-33510
Immediate Actions Required
- Upgrade Homarr to version 1.57.0 or later immediately
- If immediate upgrade is not possible, consider temporarily restricting access to the Homarr dashboard to trusted networks only
- Implement a strong Content Security Policy header to mitigate the impact of XSS attacks
- Educate users about the risks of clicking untrusted links to the Homarr dashboard
Patch Information
This vulnerability is fixed in Homarr version 1.57.0. The patch addresses the improper handling of the callbackUrl parameter by implementing proper validation and sanitization before using the value in redirect functions. Organizations should upgrade to version 1.57.0 or later to fully remediate this vulnerability.
For detailed patch information and the security advisory, refer to the GitHub Security Advisory for GHSA-79pg-554g-rw82.
Workarounds
- Deploy a reverse proxy with WAF capabilities to filter malicious callbackUrl parameter values
- Implement network-level access controls to restrict Homarr dashboard access to trusted IP ranges
- Add Content Security Policy headers via reverse proxy configuration to block inline JavaScript execution
- Consider disabling public access to the Homarr instance until patching is complete
# Example nginx configuration to add CSP headers
location / {
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline';" always;
proxy_pass http://homarr:7575;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
