Lucene search
K

294 matches found

Nuclei
Nuclei
added yesterday40 views

Home Assistant HACS - Local File Inclusion

Home Assistant before 2021.1.3 lacks a protection layer against directory-traversal attacks in custom integrations, letting attackers access arbitrary files, exploit requires attacker to deploy malicious custom integration. id: CVE-2021-3152 info: name: Home Assistant HACS - Local File Inclusion...

5.3CVSS6.2AI score0.02231EPSS
Exploits0References4
OSV
OSV
added 4 days ago6 views

PYSEC-2026-1454 Home Assistant Core before is vulnerable to Directory Traversal

Home Assistant Core before v2025.8.0 is vulnerable to Directory Traversal. The Downloader integration does not fully validate file paths during concatenation, leaving a path traversal vulnerability...

8.3CVSS6AI score0.00362EPSS
Exploits1References9
OSV
OSV
added 4 days ago4 views

PYSEC-2026-1452 Home Assistant does not correctly validate SSL for outgoing requests in core and used libs

Summary Problem: Potential man-in-the-middle attacks due to missing SSL certificate verification in the project codebase and used third-party libraries. Details In the past, aiohttp-session/request had the parameter verifyssl to control SSL certificate verification. This was a boolean value. In...

7CVSS6AI score0.00229EPSS
Exploits0References6
OSV
OSV
added 4 days ago4 views

PYSEC-2026-1451 User accounts disclosed to unauthenticated actors on the LAN

Summary The login page discloses all active user accounts to any unauthenticated browsing request originating on the Local Area Network. Details Starting the Home Assistant 2023.12 release, the login page returns all currently active user accounts to browsing requests from the Local Area Network...

4.3CVSS6AI score0.00908EPSS
Exploits1References6
CVE
CVE
added 2026/06/29 2:19 p.m.18 views

CVE-2026-55844

The Home Assistant iOS companion app prior to 2025.5.0 ignores the SSID allowlist for internal networks. It uses SSID to decide when to use the internal URL, but if no other URL is available it falls back to the internal URL, which can expose the user’s token on unsecure networks. Affected compon...

7.5CVSS5.8AI score0.00161EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/29 2:19 p.m.32 views

CVE-2026-55844 Home Assistant: iOS Companion App ignores internal SSID allowlist for connections – possible leak of access token and sensor data

Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2025.5.0, The iOS companion app ignores the SSID allowlist for internal networks. The app uses SSID to detect when to use the internal URL, but whenever the app cannot find any other URL to ...

7.5CVSS0.00161EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/29 12:0 a.m.16 views

PT-2026-53283

Name of the Vulnerable Software and Affected Versions Home Assistant versions prior to 2025.5.0 Description The iOS companion app fails to respect the SSID allowlist for internal networks. While the app typically uses the Service Set Identifier SSID—the public name of a wireless network—to...

7.5CVSS5.8AI score0.00161EPSS
Exploits0References5
NVD
NVD
added 2026/06/23 6:18 p.m.10 views

CVE-2026-54318

Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2026.5.3, the LocationSensorManager BroadcastReceiver is exported with no permission. Any installed app, with zero runtime permissions, can broadcast a forged Google Play Services...

7.1CVSS0.00113EPSS
Exploits1References2
OSV
OSV
added 2026/06/23 6:18 p.m.4 views

PYSEC-2026-241

Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2026.6.0, the Konnected integration registers an HTTP endpoint, KonnectedView homeassistant/components/konnected/init.py, that is marked as not requiring authentication requiresauth = False....

7.6CVSS5.8AI score0.00193EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/06/23 5:40 p.m.39 views

CVE-2026-54318 Home Assistant: Exported BroadcastReceiver allows local apps to spoof device location

Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2026.5.3, the LocationSensorManager BroadcastReceiver is exported with no permission. Any installed app, with zero runtime permissions, can broadcast a forged Google Play Services...

7.1CVSS0.00113EPSS
Exploits1References2
CVE
CVE
added 2026/06/23 5:40 p.m.36 views

CVE-2026-54318

Affected software: Home Assistant Android components. Vulnerability: LocationSensorManager BroadcastReceiver was exported with no permission prior to 2026.5.3, allowing any local app (zero runtime permissions) to broadcast a forged Google Play Services LocationResult to spoof the device’s locatio...

7.1CVSS5.9AI score0.00113EPSS
Exploits1References2Affected Software1
Cvelist
Cvelist
added 2026/06/23 5:39 p.m.36 views

CVE-2026-54317 Home Assistant: Konnected alarm-panel switch state and zone topology disclosed to unauthenticated actors on the LAN

Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2026.6.0, the Konnected integration registers an HTTP endpoint, KonnectedView homeassistant/components/konnected/init.py, that is marked as not requiring authentication requiresauth = False....

7.6CVSS0.00193EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/06/23 5:39 p.m.4 views

CVE-2026-54317

Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2026.6.0, the Konnected integration registers an HTTP endpoint, KonnectedView homeassistant/components/konnected/init.py, that is marked as not requiring authentication requiresauth = False....

7.6CVSS5.8AI score0.00193EPSS
Exploits1References2Affected Software1
Circl
Circl
added 2026/06/18 9:17 a.m.9 views

CVE-2026-54317

creationtimestamp| type| source ---|---|--- 2026-06-18 09:17:38+00:00| published-proof-of-concept| https://github.com/home-assistant/core/security/advisories/GHSA-x84v-g949-293w 2026-06-24 12:13:59+00:00| seen| https://bsky.app/profile/hugovalters.bsky.social/post/3mozvbqteme22...

7.6CVSS5.8AI score0.00193EPSS
Exploits1References2
RedhatCVE
RedhatCVE
added 2026/06/05 7:12 p.m.17 views

CVE-2026-44698

Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2026.4.1 for iOS and 2026.4.4 for Android, he Home Assistant Companion apps for Android and iOS expose a JavaScript bridge to the in-app WebView window.externalApp on Android and...

8.3CVSS5.8AI score0.00136EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/05/29 8:13 p.m.14 views

CVE-2026-45323

MeshCore Card provides MeshCore Lovelace card for Home Assistant. Prior to 0.3.3, Meshcore node names are rendered without HTML escaping in meshcore-card, allowing any node within direct or indirect repeated radio range to execute arbitrary javascript in the Home Assistant frontend of anyone...

9.6CVSS6.1AI score0.00317EPSS
Exploits1References1
NVD
NVD
added 2026/05/29 2:16 p.m.21 views

CVE-2026-44698

Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2026.4.1 for iOS and 2026.4.4 for Android, he Home Assistant Companion apps for Android and iOS expose a JavaScript bridge to the in-app WebView window.externalApp on Android and...

8.3CVSS0.00136EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/29 1:32 p.m.7 views

CVE-2026-44698

Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2026.4.1 for iOS and 2026.4.4 for Android, he Home Assistant Companion apps for Android and iOS expose a JavaScript bridge to the in-app WebView window.externalApp on Android and...

8.3CVSS6.1AI score0.00136EPSS
Exploits0References2Affected Software3
Vulnrichment
Vulnrichment
added 2026/05/29 1:32 p.m.21 views

CVE-2026-44698 Home Assistant: Cross-origin iframe access token exfiltration via WebView JS bridge callback injection

Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2026.4.1 for iOS and 2026.4.4 for Android, he Home Assistant Companion apps for Android and iOS expose a JavaScript bridge to the in-app WebView window.externalApp on Android and...

8.3CVSS6.1AI score0.00136EPSS
Exploits0References1
CVE
CVE
added 2026/05/29 1:32 p.m.80 views

CVE-2026-44698

CVE-2026-44698 affects the Home Assistant Companion apps for Android and iOS, where a JavaScript bridge exposed to in-app WebView could be reached by all frames. The root cause is the bridge exposure along with unsanitized interpolation of the JavaScript callback identifier, allowing a cross-orig...

8.3CVSS6.1AI score0.00136EPSS
Exploits0References1
Rows per page
Query Builder