58 matches found
CVE-2026-33510
Homarr is an open-source dashboard. Prior to 1.57.0, a DOM-based Cross-Site Scripting XSS vulnerability has been discovered in Homarr's /auth/login page. The application improperly trusts a URL parameter callbackUrl, which is passed to redirect and router.push. An attacker can craft a malicious...
CVE-2026-32602
Homarr is an open-source dashboard. Prior to 1.57.0, the user registration endpoint /api/trpc/user.register is vulnerable to a race condition that allows an attacker to create multiple user accounts from a single-use invite token. The registration flow performs three sequential database operation...
CVE-2026-33510
Homarr is an open-source dashboard. Prior to 1.57.0, a DOM-based Cross-Site Scripting XSS vulnerability has been discovered in Homarr's /auth/login page. The application improperly trusts a URL parameter callbackUrl, which is passed to redirect and router.push. An attacker can craft a malicious...
CVE-2026-33510 DOM-Based XSS in Homarr /auth/login Redirect
Homarr is an open-source dashboard. Prior to 1.57.0, a DOM-based Cross-Site Scripting XSS vulnerability has been discovered in Homarr's /auth/login page. The application improperly trusts a URL parameter callbackUrl, which is passed to redirect and router.push. An attacker can craft a malicious...
CVE-2026-33510 DOM-Based XSS in Homarr /auth/login Redirect
Homarr is an open-source dashboard. Prior to 1.57.0, a DOM-based Cross-Site Scripting XSS vulnerability has been discovered in Homarr's /auth/login page. The application improperly trusts a URL parameter callbackUrl, which is passed to redirect and router.push. An attacker can craft a malicious...
CVE-2026-33510
Homarr (open-source dashboard) contains a DOM-based XSS in the /auth/login flow prior to version 1.57.0. The app trusts a URL parameter (callbackUrl) that is passed to redirect and router.push, enabling an attacker with an authenticated user to craft a malicious link that performs a client-side r...
CVE-2026-32602 Homarr has a Race Condition in Invite Token Registration (TOCTOU)
Homarr is an open-source dashboard. Prior to 1.57.0, the user registration endpoint /api/trpc/user.register is vulnerable to a race condition that allows an attacker to create multiple user accounts from a single-use invite token. The registration flow performs three sequential database operation...
CVE-2026-32602
CVE-2026-32602 affects Homarr prior to 1.57.0. The user registration endpoint /api/trpc/user.register is vulnerable to a TOCTOU race condition: the registration flow performs three non-atomic DB operations (CHECK, CREATE, DELETE). Concurrent requests can pass the CHECK before any deletion, allowi...
homarr 安全漏洞
Homarr is a customizable browser homepage developed by Thomas Camlong, used to interact with the Docker container of the main server. Versions of Homarr prior to 1.57.0 contained security vulnerabilities; these vulnerabilities stemmed from DOM cross-site scripting in the login page, which could...
PT-2026-30629
Name of the Vulnerable Software and Affected Versions Homarr versions prior to 1.57.0 Description Homarr is an open-source dashboard. A DOM-based Cross-Site Scripting XSS issue exists in the /auth/login page. The application improperly trusts the callbackUrl URL parameter, which is used in redire...
homarr 安全漏洞
Homarr is a customizable browser homepage developed by Thomas Camlong, used to interact with the Docker containers of the main server. Versions of Homarr prior to 1.57.0 contained security vulnerabilities. These vulnerabilities stemmed from race conditions in the user registration endpoint, which...
CVE-2026-27796
Homarr is an open-source dashboard. Prior to version 1.54.0, the integration.all tRPC endpoint in Homarr is exposed as a publicProcedure, allowing unauthenticated users to retrieve a complete list of configured integrations. This metadata includes sensitive information such as internal service...
CVE-2026-27797
Homarr is an open-source dashboard. Prior to version 1.54.0, an unauthenticated Server-Side Request Forgery SSRF vulnerability allows a remote attacker to force the Homarr server to perform arbitrary outbound HTTP requests. This can be used as an internal network access primitive e.g., reaching...
CVE-2026-27796 Homarr: Unauthenticated Information Disclosure (Integration Metadata Leak)
Homarr is an open-source dashboard. Prior to version 1.54.0, the integration.all tRPC endpoint in Homarr is exposed as a publicProcedure, allowing unauthenticated users to retrieve a complete list of configured integrations. This metadata includes sensitive information such as internal service...
CVE-2026-27796
Homarr is an open-source dashboard. Prior to version 1.54.0, the integration.all tRPC endpoint in Homarr is exposed as a publicProcedure, allowing unauthenticated users to retrieve a complete list of configured integrations. This metadata includes sensitive information such as internal service...
CVE-2026-27796
Summary: Vulnerability in Homarr prior to v1.54.0 where the integration.all tRPC endpoint was exposed as a publicProcedure, allowing unauthenticated users to retrieve a complete list of configured integrations (internal URLs, names, service types). This information disclosure impact is stated as ...
CVE-2026-27796 Homarr: Unauthenticated Information Disclosure (Integration Metadata Leak)
Homarr is an open-source dashboard. Prior to version 1.54.0, the integration.all tRPC endpoint in Homarr is exposed as a publicProcedure, allowing unauthenticated users to retrieve a complete list of configured integrations. This metadata includes sensitive information such as internal service...
CVE-2026-27796 Homarr: Unauthenticated Information Disclosure (Integration Metadata Leak)
Homarr is an open-source dashboard. Prior to version 1.54.0, the integration.all tRPC endpoint in Homarr is exposed as a publicProcedure, allowing unauthenticated users to retrieve a complete list of configured integrations. This metadata includes sensitive information such as internal service...
EUVD-2026-10114
Homarr is an open-source dashboard. Prior to version 1.54.0, the integration.all tRPC endpoint in Homarr is exposed as a publicProcedure, allowing unauthenticated users to retrieve a complete list of configured integrations. This metadata includes sensitive information such as internal service...
EUVD-2026-10115
Homarr is an open-source dashboard. Prior to version 1.54.0, an unauthenticated Server-Side Request Forgery SSRF vulnerability allows a remote attacker to force the Homarr server to perform arbitrary outbound HTTP requests. This can be used as an internal network access primitive e.g., reaching...