305 matches found
PT-2026-24837
Name of the Vulnerable Software and Affected Versions ha-mcp versions prior to 7.0.0 Description ha-mcp is a Home Assistant MCP Server. The ha-mcp OAuth consent form beta feature accepts a user-supplied ha url and makes a server-side HTTP request to ha url/api/config without URL validation. An...
Directory Traversal
homeassistant is vulnerable to Directory Traversal. The vulnerability is due to insufficient validation of file paths during concatenation in the Downloader integration, which allows an attacker to manipulate paths and access unintended files...
CVE-2023-50715
Home Assistant is open source home automation software. Prior to version 2023.12.3, the login page discloses all active user accounts to any unauthenticated browsing request originating on the Local Area Network. Version 2023.12.3 contains a patch for this issue. When starting the Home Assistant...
CVE-2025-65713
Home Assistant Core before v2025.8.0 is vulnerable to Directory Traversal. The Downloader integration does not fully validate file paths during concatenation, leaving a path traversal vulnerability...
EUVD-2025-204808
Home Assistant Core before is vulnerable to Directory Traversal...
eq3btsmart (=0.0.0), hass-auth-synology (>=0.0.0 <=0.4.28) +5 more potentially affected by CVE-2025-65713 via homeassistant (>=0.83.3 <=2024.12.5)
homeassistant PYPI version =0.83.3, =0.0.0, =2021.4.0, =0.4.11, =1.2.0, =0.3.0, =0.13.85 Source cves: CVE-2025-65713 Source advisory: OSV:GHSA-PP3G-XMM4-5CW9...
Home Assistant Core before is vulnerable to Directory Traversal
Home Assistant Core before v2025.8.0 is vulnerable to Directory Traversal. The Downloader integration does not fully validate file paths during concatenation, leaving a path traversal vulnerability...
GHSA-PP3G-XMM4-5CW9 Home Assistant Core before is vulnerable to Directory Traversal
Home Assistant Core before v2025.8.0 is vulnerable to Directory Traversal. The Downloader integration does not fully validate file paths during concatenation, leaving a path traversal vulnerability...
CVE-2025-65713
Home Assistant Core before v2025.8.0 is vulnerable to Directory Traversal. The Downloader integration does not fully validate file paths during concatenation, leaving a path traversal vulnerability...
CVE-2025-65713
Home Assistant Core before v2025.8.0 is vulnerable to Directory Traversal. The Downloader integration does not fully validate file paths during concatenation, leaving a path traversal vulnerability...
CVE-2025-65713
Summary. CVE-2025-65713 affects Home Assistant Core, specifically the Downloader integration within versions prior to 2025.8.0. The root cause is improper validation of file paths during path construction, enabling a directory traversal vulnerability. The public descriptions across several source...
Home Assistant 安全漏洞
Home Assistant is an open source home automation management system from Home Assistant Open Source. The system is primarily used to control home automation devices. A security vulnerability exists in Home Assistant versions prior to 2025.8.0 that stems from insufficient file path validation and...
CVE-2025-65713
Home Assistant Core before v2025.8.0 is vulnerable to Directory Traversal. The Downloader integration does not fully validate file paths during concatenation, leaving a path traversal vulnerability...
PT-2025-52771
Name of the Vulnerable Software and Affected Versions Home Assistant Core versions prior to 2025.8.0 Description The Downloader integration does not completely validate file paths when combining them, which creates a directory traversal issue. This allows unauthorized access to files outside the...
CVE-2025-65713
Home Assistant Core before v2025.8.0 is vulnerable to Directory Traversal. The Downloader integration does not fully validate file paths during concatenation, leaving a path traversal vulnerability...
Home Assistant has Stored XSS vulnerability in Energy dashboard from Energy Entity Name
Summary An authenticated party can add a malicious name to the Energy entity, allowing for Cross-Site Scripting attacks against anyone who can see the Energy dashboard, when they hover over any information point The blue bar in the picture below An alternative, and more impactful scenario, is tha...
GHSA-MQ77-RV97-285M Home Assistant has Stored XSS vulnerability in Energy dashboard from Energy Entity Name
Summary An authenticated party can add a malicious name to the Energy entity, allowing for Cross-Site Scripting attacks against anyone who can see the Energy dashboard, when they hover over any information point The blue bar in the picture below An alternative, and more impactful scenario, is tha...
CVE-2025-62172
Home Assistant is open source home automation software that puts local control and privacy first. In versions 2025.1.0 through 2025.10.1, the energy dashboard is vulnerable to stored cross-site scripting. An authenticated user can inject malicious JavaScript code into an energy entity's name fiel...
CVE-2025-62172 Home Assistant vulnerable to Stored XSS in Energy dashboard from Energy Entity Name
Home Assistant is open source home automation software that puts local control and privacy first. In versions 2025.1.0 through 2025.10.1, the energy dashboard is vulnerable to stored cross-site scripting. An authenticated user can inject malicious JavaScript code into an energy entity's name fiel...
CVE-2025-62172 Home Assistant vulnerable to Stored XSS in Energy dashboard from Energy Entity Name
Home Assistant is open source home automation software that puts local control and privacy first. In versions 2025.1.0 through 2025.10.1, the energy dashboard is vulnerable to stored cross-site scripting. An authenticated user can inject malicious JavaScript code into an energy entity's name fiel...