Homarr is an open-source dashboard. Prior to 1.57.0, a DOM-based Cross-Site Scripting (XSS) vulnerability has been discovered in Homarr's /auth/login page. The …

A DOM-based Cross-Site Scripting (XSS) vulnerability was discovered in Homarr, an open-source dashboard application. The vulnerability affects versions prior to 1.57.0 and is located in the /auth/login page. The application improperly trusts a URL parameter (callbackUrl) which is passed to redirect and router.push functions. Attackers can craft malicious links that execute arbitrary JavaScript in authenticated users' browsers. This can lead to credential theft, internal network pivoting, and unauthorized actions. The vulnerability has been fixed in version 1.57.0.