CVE-2025-65713

Home Assistant Core before v2025.8.0 is vulnerable to Directory Traversal. The Downloader integration does not fully validate file paths during concatenation, leaving a path traversal vulnerability...

GHSA-PP3G-XMM4-5CW9 Home Assistant Core before is vulnerable to Directory Traversal

Home Assistant Core before v2025.8.0 is vulnerable to Directory Traversal. The Downloader integration does not fully validate file paths during concatenation, leaving a path traversal vulnerability...

Home Assistant Core before is vulnerable to Directory Traversal

Home Assistant Core before v2025.8.0 is vulnerable to Directory Traversal. The Downloader integration does not fully validate file paths during concatenation, leaving a path traversal vulnerability...

EUVD-2025-204808

Home Assistant Core before is vulnerable to Directory Traversal...

CVE-2025-65713

Home Assistant Core before v2025.8.0 is vulnerable to Directory Traversal. The Downloader integration does not fully validate file paths during concatenation, leaving a path traversal vulnerability...

CVE-2025-65713

Home Assistant Core before v2025.8.0 is vulnerable to Directory Traversal. The Downloader integration does not fully validate file paths during concatenation, leaving a path traversal vulnerability...

CVE-2025-65713

Summary. CVE-2025-65713 affects Home Assistant Core, specifically the Downloader integration within versions prior to 2025.8.0. The root cause is improper validation of file paths during path construction, enabling a directory traversal vulnerability. The public descriptions across several source...

CVE-2025-65713

Home Assistant Core before v2025.8.0 is vulnerable to Directory Traversal. The Downloader integration does not fully validate file paths during concatenation, leaving a path traversal vulnerability...

PT-2025-52771

Name of the Vulnerable Software and Affected Versions Home Assistant Core versions prior to 2025.8.0 Description The Downloader integration does not completely validate file paths when combining them, which creates a directory traversal issue. This allows unauthorized access to files outside the...

CVE-2025-65713

Home Assistant Core before v2025.8.0 is vulnerable to Directory Traversal. The Downloader integration does not fully validate file paths during concatenation, leaving a path traversal vulnerability...

CVE-2025-62172

creationtimestamp| type| source ---|---|--- 2025-10-14 13:14:54+00:00| published-proof-of-concept| https://github.com/home-assistant/core/security/advisories/GHSA-mq77-rv97-285m...

CVE-2025-25305

CVE-2025-25305 affects Home Assistant Core and libraries it uses, with a root cause of missing SSL certificate verification in outgoing requests. The issue stems from migrating the legacy verify_ssl parameter to the newer ssl parameter, which in some cases could leave request.ssl = True and disab...

CVE-2025-25305 SSL validation for outgoing requests in Home Assistant Core and used libs not correct

Home Assistant Core is an open source home automation that puts local control and privacy first. Affected versions are subject to a potential man-in-the-middle attacks due to missing SSL certificate verification in the project codebase and used third-party libraries. In the past,...

PT-2025-7078 · Unknown +1 · Home Assistant Core +2

Name of the Vulnerable Software and Affected Versions: Home Assistant Core versions prior to 2024.1.6 Description: The issue concerns a potential man-in-the-middle attack due to missing SSL certificate verification in the project codebase and used third-party libraries. In the past,...

Cross Site Scripting (XSS)

home-assistant/core and home-assistant-js-websocket are vulnerable to XSS attack.The vulnerability occurs due to a loophole in Websocket authentication logic. The logic utilises a state parameter which contains hassurl. This mechanism enables attackers to spoof websocket responses and trigger XSS...

CVE-2023-41894 Local-only webhooks externally accessible via SniTun in Home Assistant Core

Home assistant is an open source home automation. The assessment verified that webhooks available in the webhook component are triggerable via the .ui.nabu.casa URL without authentication, even when the webhook is marked as Only accessible from the local network. This issue is facilitated by the...

Cross site scripting

Home assistant is an open source home automation. Whilst auditing the frontend code to identify hidden parameters, Cure53 detected authcallback=1, which is leveraged by the WebSocket authentication logic in tandem with the state parameter. The state parameter contains the hassUrl, which is...

CVE-2023-41895 Cross-site Scripting via auth_callback login in Home Assistant Core

Home assistant is an open source home automation. The Home Assistant login page allows users to use their local Home Assistant credentials and log in to another website that specifies the redirecturi and clientid parameters. Although the redirecturi validation typically ensures that it matches th...

CVE-2023-41899 Partial Server-Side Request Forgery in Home Assistant Core

Home assistant is an open source home automation. In affected versions the hassio.addonstdin is vulnerable to a partial Server-Side Request Forgery where an attacker capable of calling this service e.g.: through GHSA-h2jp-7grc-9xpp may be able to invoke any Supervisor REST API endpoints with a PO...

PT-2023-28152 · Unknown · Home-Assistant-Js-Websocket +1

Name of the Vulnerable Software and Affected Versions: Home Assistant Core versions prior to 2023.8.0 home-assistant-js-websocket versions prior to 8.2.0 Description: The issue concerns an open-source home automation system where the WebSocket authentication logic is vulnerable to exploitation...