Denial-Of-Service (DoS)

ESPHome is vulnerable to a Denial-Of-Service DoS. The vulnerability is due to an integer overflow in the API protobuf decoder, where an attacker-controlled fieldlength value can overflow the bounds check in proto.cpp, bypassing validation and causing invalid memory access that crashes the device,...

GHSA-4H3H-63V6-88QX ESPHome vulnerable to denial-of-service via out-of-bounds check bypass in the API component

Summary An integer overflow in the API component's protobuf decoder allows denial-of-service attacks when API encryption is not used. Details The bounds check ptr + fieldlength end in components/api/proto.cpp can overflow when a malicious client sends a large fieldlength value. This affects all...

EUVD-2026-3306

ESPHome vulnerable to denial-of-service via out-of-bounds check bypass in the API component...

CVE-2026-23833

A flaw was found in ESPHome. An integer overflow vulnerability exists in the API component's protobuf decoder. A remote attacker can exploit this by sending a specially crafted, large fieldlength value, which bypasses a bounds check. This can lead to a denial-of-service DoS condition, causing the...

Integer Overflow or Wraparound

Overview esphome is a Make creating custom firmwares for ESP32/ESP8266 super easy. Affected versions of this package are vulnerable to Integer Overflow or Wraparound via the protobuf decoder in the API component. An attacker can cause the device to read invalid memory and crash by sending a...

CVE-2026-23833

ESPHome is a system to control microcontrollers remotely through Home Automation systems. In versions 2025.9.0 through 2025.12.6, an integer overflow in the API component's protobuf decoder allows denial-of-service attacks when API encryption is not used. The bounds check ptr + fieldlength end in...

CVE-2026-23833 ESPHome vulnerable to denial-of-service via out-of-bounds check bypass in the API component

ESPHome is a system to control microcontrollers remotely through Home Automation systems. In versions 2025.9.0 through 2025.12.6, an integer overflow in the API component's protobuf decoder allows denial-of-service attacks when API encryption is not used. The bounds check ptr + fieldlength end in...

CVE-2026-23833

ESPHome CVE-2026-23833: An integer overflow in the API component protobuf decoder (bounds check ptr + field_length in components/api/proto.cpp) allows denial-of-service by sending a large field_length. Affects ESPHome versions 2025.9.0–2025.12.6 across all supported devices (ESP32/ESP8266/RP2040/...

CVE-2026-23833 ESPHome vulnerable to denial-of-service via out-of-bounds check bypass in the API component

ESPHome is a system to control microcontrollers remotely through Home Automation systems. In versions 2025.9.0 through 2025.12.6, an integer overflow in the API component's protobuf decoder allows denial-of-service attacks when API encryption is not used. The bounds check ptr + fieldlength end in...

EUVD-2021-0071

Malware in sbrugna...

EUVD-2024-0825

Malicious code in bioql PyPI...

EUVD-2024-0886

Malicious code in bioql PyPI...

EUVD-2024-0877

Malicious code in bioql PyPI...

Improper Authentication

esphome is vulnerable to improper authentication. The vulnerability is due to the webserver authentication check incorrectly passing when the client-supplied base64-encoded Authorization value is empty or a substring of the correct value, which allows an attacker to gain unauthorized access to...

CVE-2025-57808

ESPHome is a system to control microcontrollers remotely through Home Automation systems. In version 2025.8.0 in the ESP-IDF platform, ESPHome's webserver authentication check can pass incorrectly when the client-supplied base64-encoded Authorization value is empty or is a substring of the correc...

Incorrect Implementation of Authentication Algorithm

Overview esphome is a Make creating custom firmwares for ESP32/ESP8266 super easy. Affected versions of this package are vulnerable to Incorrect Implementation of Authentication Algorithm in the webserver authentication process. An attacker can gain unauthorized access to web server functionality...

CVE-2025-57808 ESP-IDF web_server basic auth bypass using empty or incomplete Authorization header

ESPHome is a system to control microcontrollers remotely through Home Automation systems. In version 2025.8.0 in the ESP-IDF platform, ESPHome's webserver authentication check can pass incorrectly when the client-supplied base64-encoded Authorization value is empty or is a substring of the correc...

CVE-2025-57808

ESPHome’s ESP-IDF web_server authentication check in version 2025.8.0 can bypass when the client-supplied Base64 Authorization value is empty or a substring of the correct value, allowing access to web_server functionality (including OTA if enabled) without valid credentials. This authentication ...

CVE-2025-57808 ESP-IDF web_server basic auth bypass using empty or incomplete Authorization header

ESPHome is a system to control microcontrollers remotely through Home Automation systems. In version 2025.8.0 in the ESP-IDF platform, ESPHome's webserver authentication check can pass incorrectly when the client-supplied base64-encoded Authorization value is empty or is a substring of the correc...

ESPHome 安全漏洞

ESPHome is an ESPHome open source system for configuring and managing smart hardware. It is used to control Esp8266/Esp32 hardware for home automation control. A security vulnerability exists in ESPHome version 2025.8.0, which stems from improper webserver authentication checking and could lead t...