Homarr-labs Homarr
7 CVEs affecting Homarr-labs Homarr. Latest disclosed: 2026-04-06. Critical: 0, High: 3.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-33510 | High | 8.8 | 2026-04-06 | Homarr is an open-source dashboard. Prior to 1.57.0, a DOM-based Cross-Site Scripting (XSS) vulnerability has been discovered in Homarr's /auth/login page. The… |
CVE-2025-64759 | High | 8.1 | 2025-11-19 | Homarr is an open-source dashboard. Prior to version 1.43.3, stored XSS vulnerability exists, allowing the execution of arbitrary JavaScript in a user's browse… |
CVE-2025-67493 | High | 7.5 | 2025-12-17 | Homarr is an open-source dashboard. Prior to version 1.45.3, it was possible to craft an input which allowed privilege escalation and getting access to groups… |
CVE-2026-27796 | Medium | 5.3 | 2026-03-07 | Homarr is an open-source dashboard. Prior to version 1.54.0, the integration.all tRPC endpoint in Homarr is exposed as a publicProcedure, allowing unauthentica… |
CVE-2026-27797 | Medium | 5.3 | 2026-03-07 | Homarr is an open-source dashboard. Prior to version 1.54.0, an unauthenticated Server-Side Request Forgery (SSRF) vulnerability allows a remote attacker to fo… |
CVE-2026-25123 | Medium | 5.3 | 2026-02-06 | Homarr is an open-source dashboard. Prior to 1.52.0, a public (unauthenticated) tRPC endpoint widget.app.ping accepts an arbitrary url and performs a server-si… |
CVE-2026-32602 | Medium | 4.2 | 2026-04-06 | Homarr is an open-source dashboard. Prior to 1.57.0, the user registration endpoint (/api/trpc/user.register) is vulnerable to a race condition that allows an… |