VYPR
Vendor

Homarr Labs

Products
1
CVEs
8
Across products
8
Status
Private

Products

1

Recent CVEs

8
  • CVE-2025-64759HigNov 19, 2025
    risk 0.53cvss 8.1epss 0.00

    Homarr is an open-source dashboard. Prior to version 1.43.3, stored XSS vulnerability exists, allowing the execution of arbitrary JavaScript in a user's browser, with minimal or no user interaction required, due to the rendering of a malicious uploaded SVG file. This could be…

  • CVE-2026-33510HigApr 6, 2026
    risk 0.50cvss 8.8epss 0.00

    Homarr is an open-source dashboard. Prior to 1.57.0, a DOM-based Cross-Site Scripting (XSS) vulnerability has been discovered in Homarr's /auth/login page. The application improperly trusts a URL parameter (callbackUrl), which is passed to redirect and router.push. An attacker…

  • CVE-2023-45908MedJan 21, 2025
    risk 0.33cvss 6.1epss 0.00

    Homarr before v0.14.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Notebook widget.

  • CVE-2026-32602MedApr 6, 2026
    risk 0.20cvss 4.2epss 0.00

    Homarr is an open-source dashboard. Prior to 1.57.0, the user registration endpoint (/api/trpc/user.register) is vulnerable to a race condition that allows an attacker to create multiple user accounts from a single-use invite token. The registration flow performs three…

  • CVE-2026-27796Mar 7, 2026
    risk 0.00cvss epss 0.00

    Homarr is an open-source dashboard. Prior to version 1.54.0, the integration.all tRPC endpoint in Homarr is exposed as a publicProcedure, allowing unauthenticated users to retrieve a complete list of configured integrations. This metadata includes sensitive information such as…

  • CVE-2026-27797Mar 7, 2026
    risk 0.00cvss epss 0.00

    Homarr is an open-source dashboard. Prior to version 1.54.0, an unauthenticated Server-Side Request Forgery (SSRF) vulnerability allows a remote attacker to force the Homarr server to perform arbitrary outbound HTTP requests. This can be used as an internal network access…

  • CVE-2026-25123Feb 6, 2026
    risk 0.00cvss epss 0.00

    Homarr is an open-source dashboard. Prior to 1.52.0, a public (unauthenticated) tRPC endpoint widget.app.ping accepts an arbitrary url and performs a server-side request to that URL. This allows an unauthenticated attacker to trigger outbound HTTP requests from the Homarr…

  • CVE-2025-67493Dec 17, 2025
    risk 0.00cvss epss 0.00

    Homarr is an open-source dashboard. Prior to version 1.45.3, it was possible to craft an input which allowed privilege escalation and getting access to groups of other users due to missing sanitization of inputs in ldap search query. The vulnerability could impact all instances…