Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-33510

CVE-2026-33510: Homarr Dashboard DOM-Based XSS Vulnerability

CVE-2026-33510 is a DOM-based XSS flaw in Homarr's login page that allows attackers to execute malicious JavaScript via crafted URLs. This article covers the technical details, affected versions, and remediation steps.

Updated:

CVE-2026-33510 Overview

CVE-2026-33510 is a DOM-based Cross-Site Scripting (XSS) vulnerability affecting Homarr, an open-source dashboard application. Versions prior to 1.57.0 improperly trust the callbackUrl URL parameter on the /auth/login page. The parameter flows directly into redirect and router.push calls without sanitization. An attacker can craft a malicious link that, when opened by an authenticated user, performs a client-side redirect and executes arbitrary JavaScript in the victim's browser context. The flaw is tracked under [CWE-87] (Improper Neutralization of Alternate XSS Syntax).

Critical Impact

Successful exploitation enables credential theft, session hijacking, internal network pivoting, and unauthorized actions performed on behalf of authenticated victims.

Affected Products

  • Homarr versions prior to 1.57.0
  • Homarr self-hosted dashboard deployments
  • Any instance exposing the /auth/login endpoint

Discovery Timeline

  • 2026-04-06 - CVE-2026-33510 published to NVD
  • 2026-04-09 - Last updated in NVD database

Technical Details for CVE-2026-33510

Vulnerability Analysis

The vulnerability resides in the authentication flow of Homarr's /auth/login page. The application accepts a callbackUrl query parameter intended to redirect users after successful authentication. This parameter is passed directly to client-side redirect functions, including redirect and router.push, without proper validation or sanitization. Because the redirect occurs in the Document Object Model (DOM), supplying a javascript: URI or similar payload causes the browser to execute attacker-controlled JavaScript in the application's origin. User interaction is required, as the victim must click the crafted link, but the resulting script runs with the victim's authenticated session privileges.

Root Cause

The root cause is improper neutralization of user-controlled input used in a redirect operation. The login component trusts the callbackUrl parameter as a safe navigation target. No allowlist of permitted destinations or scheme validation is enforced before invoking the redirect routine. This allows alternate XSS syntax patterns covered by [CWE-87] to bypass naive string checks.

Attack Vector

An attacker crafts a URL pointing to the Homarr login page with a malicious callbackUrl value containing a JavaScript payload or attacker-controlled destination. The attacker delivers the link through phishing, chat, or embedded content. When an authenticated Homarr user opens the link, the client-side router processes the parameter and executes the payload. The script can read session tokens, exfiltrate dashboard secrets, issue authenticated API calls, or pivot to internal network resources reachable from the victim's browser.

The vulnerability is described in prose because no public proof-of-concept code has been verified. See the GitHub Security Advisory for vendor-provided technical details.

Detection Methods for CVE-2026-33510

Indicators of Compromise

  • Web server access logs containing requests to /auth/login with unusual or encoded callbackUrl parameter values
  • callbackUrl parameters containing javascript:, data:, or external domain schemes
  • Outbound browser requests from authenticated Homarr sessions to attacker-controlled domains shortly after login activity
  • Anomalous API calls originating from valid sessions that deviate from typical user dashboard interactions

Detection Strategies

  • Inspect HTTP request logs for /auth/login paths and decode callbackUrl values to identify non-relative or script-bearing destinations
  • Deploy Content Security Policy (CSP) reporting to capture inline script execution attempts and unexpected navigation events
  • Monitor browser console errors and CSP violation reports tied to the Homarr origin
  • Correlate session activity with referrer headers to detect login flows initiated from external phishing infrastructure

Monitoring Recommendations

  • Enable verbose logging on the reverse proxy or web application firewall fronting Homarr
  • Alert on callbackUrl values that fail a relative-path allowlist check
  • Track repeated authentication events from the same user following suspicious referrers
  • Review network egress from administrative workstations for connections to unfamiliar hosts after Homarr usage

How to Mitigate CVE-2026-33510

Immediate Actions Required

  • Upgrade Homarr to version 1.57.0 or later, where the vulnerability is fixed
  • Audit existing user sessions and force re-authentication after upgrading
  • Educate administrators and users to avoid clicking Homarr login links from untrusted sources
  • Restrict network exposure of the Homarr instance to trusted users and networks where feasible

Patch Information

The vendor released a fix in Homarr 1.57.0. The patch sanitizes and validates the callbackUrl parameter before passing it to client-side redirect functions. Refer to the Homarr Security Advisory GHSA-79pg-554g-rw82 for upgrade instructions and release notes.

Workarounds

  • Place Homarr behind a reverse proxy that strips or validates the callbackUrl query parameter on requests to /auth/login
  • Enforce a strict Content Security Policy that disallows inline scripts and restricts navigation targets
  • Limit access to the Homarr instance via VPN or IP allowlisting until the upgrade is applied
  • Block requests containing javascript:, data:, or absolute external URLs in the callbackUrl parameter at the WAF layer
bash
# Example NGINX rule to filter dangerous callbackUrl values
location /auth/login {
    if ($arg_callbackUrl ~* "(javascript:|data:|vbscript:|//)") {
        return 400;
    }
    proxy_pass http://homarr_backend;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.