2 matches found
Cross-site Scripting (XSS)
homeassistant is vulnerable to Cross-site Scripting XSS. The vulnerability is due to improper sanitization of energy entity names containing HTML, which allows an authenticated attacker—or a malicious energy provider default name—to inject JavaScript that executes when users hover over graph...
CVE-2025-62172
Home Assistant is open source home automation software that puts local control and privacy first. In versions 2025.1.0 through 2025.10.1, the energy dashboard is vulnerable to stored cross-site scripting. An authenticated user can inject malicious JavaScript code into an energy entity's name fiel...