CVE-2026-25123

Name of the Vulnerable Software and Affected Versions Homarr versions prior to 1.52.0

Description Homarr is an open-source dashboard susceptible to Server-Side Request Forgery (SSRF). A public, unauthenticated tRPC endpoint, widget.app.ping, accepts an arbitrary URL and makes a server-side request to that URL. This allows an unauthenticated attacker to initiate outbound HTTP requests from the Homarr server. This capability can be used for SSRF and as a reliable port-scanning primitive, where the status of ports can be determined by analyzing status codes and request timing. The vulnerable API endpoint is widget.app.ping. The url parameter is used to specify the target URL for the server-side request.

Recommendations Update to version 1.52.0 or later.