CVE-2026-33510

Source
https://cve.org/CVERecord?id=CVE-2026-33510
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33510.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-33510
Aliases
  • GHSA-79pg-554g-rw82
Published
2026-04-06T14:51:38.960Z
Modified
2026-07-08T08:12:48.765199097Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L CVSS Calculator
Summary
DOM-Based XSS in Homarr /auth/login Redirect
Details

Homarr is an open-source dashboard. Prior to 1.57.0, a DOM-based Cross-Site Scripting (XSS) vulnerability has been discovered in Homarr's /auth/login page. The application improperly trusts a URL parameter (callbackUrl), which is passed to redirect and router.push. An attacker can craft a malicious link that, when opened by an authenticated user, performs a client-side redirect and executes arbitrary JavaScript in the context of their browser. This could lead to credential theft, internal network pivoting, and unauthorized actions performed on behalf of the victim. This vulnerability is fixed in 1.57.0.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-601",
        "CWE-87"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33510.json"
}
References

Affected packages

Git / github.com/homarr-labs/homarr

Affected ranges

Type
GIT
Repo
https://github.com/homarr-labs/homarr
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.57.0"
        }
    ],
    "cpe": "cpe:2.3:a:homarr:homarr:*:*:*:*:*:*:*:*",
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ]
}

Affected versions

v1.*
v1.0.0
v1.0.1
v1.1.0
v1.10.0
v1.11.0
v1.12.0
v1.13.0
v1.13.1
v1.14.0
v1.15.0
v1.16.0
v1.17.0
v1.18.0
v1.18.1
v1.19.0
v1.19.1
v1.2.0
v1.20.0
v1.21.0
v1.22.0
v1.23.0
v1.24.0
v1.25.0
v1.26.0
v1.27.0
v1.28.0
v1.28.1
v1.29.0
v1.3.0
v1.3.1
v1.30.0
v1.30.1
v1.31.0
v1.32.0
v1.33.0
v1.34.0
v1.35.0
v1.35.1
v1.36.0
v1.36.1
v1.37.0
v1.38.0
v1.39.0
v1.4.0
v1.40.0
v1.41.0
v1.42.0
v1.42.1
v1.43.0
v1.43.1
v1.43.2
v1.43.3
v1.44.0
v1.45.0
v1.45.1
v1.45.2
v1.45.3
v1.46.0
v1.47.0
v1.48.0
v1.49.0
v1.49.1
v1.5.0
v1.50.0
v1.50.1
v1.51.0
v1.52.0
v1.53.0
v1.53.1
v1.53.2
v1.54.0
v1.55.0
v1.56.0
v1.56.1
v1.6.0
v1.7.0
v1.8.0
v1.9.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33510.json"