VYPR

PyPI package

ha-mcp

pkg:pypi/ha-mcp

Vulnerabilities (2)

  • CVE-2026-32112Mar 11, 2026
    affected < 7.0.0fixed 7.0.0

    ha-mcp is a Home Assistant MCP Server. Prior to 7.0.0, the ha-mcp OAuth consent form renders user-controlled parameters via Python f-strings with no HTML escaping. An attacker who can reach the OAuth endpoint and convince the server operator to follow a crafted authorization URL

  • CVE-2026-32111Mar 11, 2026
    affected < 7.0.0fixed 7.0.0

    ha-mcp is a Home Assistant MCP Server. Prior to 7.0.0, the ha-mcp OAuth consent form (beta feature) accepts a user-supplied ha_url and makes a server-side HTTP request to {ha_url}/api/config with no URL validation. An unauthenticated attacker can submit arbitrary URLs to perform