What is CVE-2026-33510?

CVE-2026-33510 is a high-severity vulnerability in Homarr-labs Homarr, classified under Improper Neutralization of Alternate XSS Syntax. CVSS score: 8.8/10. Published 2026-04-06.

How severe is CVE-2026-33510?

High severity. CVSS v3 base score is 8.8 out of 10.

XSS in Homarr-labs Homarr

CVE-2026-33510

Homarr is an open-source dashboard. Prior to 1.57.0, a DOM-based Cross-Site Scripting (XSS) vulnerability has been discovered in Homarr's /auth/login page. The application improperly trusts a URL parameter (callbackUrl), which is passed to…

EPSS: 0.001 (21.9th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.8 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L.

Affected products

Homarr-labs Homarr — versions < 1.57.0

Weakness classification (CWE)

CWE-87 — Improper Neutralization of Alternate XSS Syntax
CWE-601 — URL Redirection to Untrusted Site (Open Redirect)

References

https://github.com/homarr-labs/homarr/security/advisories/GHSA-79pg-554g-rw82 (x_refsource_CONFIRM)

Frequently asked questions

What is CVE-2026-33510?: CVE-2026-33510 is a high-severity vulnerability in Homarr-labs Homarr, classified under Improper Neutralization of Alternate XSS Syntax. CVSS score: 8.8/10. Published 2026-04-06.
How severe is CVE-2026-33510?: High severity. CVSS v3 base score is 8.8 out of 10.