Browse all 7 CVE security advisories affecting homarr-labs. AI-powered Chinese analysis, POCs, and references for each vulnerability.
Homarr-labs develops a dashboard application for managing and monitoring services, primarily used by DevOps teams and system administrators. Historically, their products have been vulnerable to multiple remote code execution (RCE) flaws, cross-site scripting (XSS) attacks, and privilege escalation issues, with seven CVEs documented to date. Security researchers have identified authentication bypass vulnerabilities and improper input sanitization as recurring concerns. While no major public security incidents have been reported, the consistent pattern of vulnerabilities in authentication and access controls suggests potential risks for organizations deploying their dashboard in production environments without proper hardening.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2026-33510 | DOM-Based XSS in Homarr /auth/login Redirect — homarrCWE-87 | 8.8 | High | 2026-04-06 |
| CVE-2026-32602 | Homarr has a Race Condition in Invite Token Registration (TOCTOU) — homarrCWE-367 | 4.2 | Medium | 2026-04-06 |
| CVE-2026-27796 | Homarr: Unauthenticated Information Disclosure (Integration Metadata Leak) — homarrCWE-200 | 5.3 | Medium | 2026-03-07 |
| CVE-2026-27797 | Homarr: Unauthenticated SSRF in rssFeed.ts — homarrCWE-918 | 5.3 | Medium | 2026-03-07 |
| CVE-2026-25123 | Homarr affected by Unauthenticated SSRF / Port-Scan Primitive via widget.app.ping — homarrCWE-918 | 5.3 | Medium | 2026-02-06 |
| CVE-2025-67493 | Homarr issing input sanitization and possible privilege escalation through ldap search query injection — homarrCWE-20 | 7.5 | High | 2025-12-17 |
| CVE-2025-64759 | Homarr is Vulnerable to Stored Cross-Site Scripting (XSS) and Possible Privilege Escalation via Malicious SVG Upload — homarrCWE-20 | 8.1 | High | 2025-11-19 |
This page lists every published CVE security advisory associated with homarr-labs. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.