Homarr after v0.11.4 and before v0.15.8 was discovered to contain a Stored Cross-Site Scripting (XSS) vulnerability via the iFrame widget that can be exploited using maliciously crafted hyperlinks.
The vulnerability was fixed in Pull Request #2215. More vulnerabilities were fixed in the same PR.
---
services:
cve-2025-xxxxx:
container_name: "homarr"
image: "ghcr.io/ajnart/homarr:0.15.7"
restart: "unless-stopped"
ports: ["80:7575"]
...-- NOT AVAILABLE --- CVE Record: https://www.cve.org/CVERecord?id=CVE-2025-XXXXX
- Vendor URL: https://homarr.dev/
- Pull Request: ajnart/homarr#2215
- CWE: https://cwe.mitre.org/data/definitions/83.html
- CAPEC: https://capec.mitre.org/data/definitions/244.html
- WSTG: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/02-Testing_for_Stored_Cross_Site_Scripting