CVE-2026-33510

Name of the Vulnerable Software and Affected Versions Homarr versions prior to 1.57.0

Description Homarr is an open-source dashboard. A DOM-based Cross-Site Scripting (XSS) issue exists in the /auth/login page. The application improperly trusts the callbackUrl URL parameter, which is used in redirect and router.push. An attacker can create a malicious link that, when opened by an authenticated user, redirects the user and executes arbitrary JavaScript code within their browser. This could lead to credential theft, internal network pivoting, and unauthorized actions performed on behalf of the victim.

Recommendations Update to version 1.57.0 or later.