VYPR

PyPI package

esphome

pkg:pypi/esphome

Vulnerabilities (6)

  • CVE-2026-23833Jan 19, 2026
    affected >= 2025.9.0, < 2025.12.7fixed 2025.12.7

    ESPHome is a system to control microcontrollers remotely through Home Automation systems. In versions 2025.9.0 through 2025.12.6, an integer overflow in the API component's protobuf decoder allows denial-of-service attacks when API encryption is not used. The bounds check `ptr +

  • CVE-2025-57808Sep 2, 2025
    affected < 2025.8.1fixed 2025.8.1

    ESPHome is a system to control microcontrollers remotely through Home Automation systems. In version 2025.8.0 in the ESP-IDF platform, ESPHome's web_server authentication check can pass incorrectly when the client-supplied base64-encoded Authorization value is empty or is a subst

  • CVE-2024-29019HigApr 11, 2024
    affected >= 2023.12.9, < 2024.3.0fixed 2024.3.0

    ESPHome is a system to control microcontrollers remotely through Home Automation systems. API endpoints in dashboard component of ESPHome version 2023.12.9 (command line installation) are vulnerable to Cross-Site Request Forgery (CSRF) allowing remote attackers to carry out attac

  • CVE-2024-27287Mar 6, 2024
    affected >= 2023.12.9, < 2024.2.2fixed 2024.2.2

    ESPHome is a system to control your ESP8266/ESP32 for Home Automation systems. Starting in version 2023.12.9 and prior to version 2024.2.2, editing the configuration file API in dashboard component of ESPHome version 2023.12.9 (command line installation and Home Assistant add-on)

  • CVE-2024-27081Feb 26, 2024
    affected >= 2023.12.9, < 2024.2.1fixed 2024.2.1

    ESPHome is a system to control your ESP8266/ESP32. A security misconfiguration in the edit configuration file API in the dashboard component of ESPHome version 2023.12.9 (command line installation) allows authenticated remote attackers to read and write arbitrary files under the

  • CVE-2021-41104Sep 28, 2021
    affected < 2021.9.2fixed 2021.9.2

    ESPHome is a system to control the ESP8266/ESP32. Anyone with web_server enabled and HTTP basic auth configured on version 2021.9.1 or older is vulnerable to an issue in which `web_server` allows over-the-air (OTA) updates without checking user defined basic auth username & passw