PyPI package
homeassistant
pkg:pypi/homeassistant
Vulnerabilities (8)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-33045 | Med | 5.4 | >= 2025.02, < 2026.01 | 2026.01 | Mar 27, 2026 | Home Assistant is open source home automation software that puts local control and privacy first. Starting in version 2025.02 and prior to version 2026.01 the "remaining charge time"-sensor for mobile phones (imported/included from Android Auto it appears) is vulnerable cross-sit | |
| CVE-2026-33044 | Med | 5.4 | >= 2020.02, < 2026.01 | 2026.01 | Mar 27, 2026 | Home Assistant is open source home automation software that puts local control and privacy first. Starting in version 2020.02 and prior to version 2026.01, an authenticated party can add a malicious name to their device entity, allowing for Cross-Site Scripting attacks against an | |
| CVE-2025-65713 | — | < 2025.8.0 | 2025.8.0 | Dec 23, 2025 | Home Assistant Core before v2025.8.0 is vulnerable to Directory Traversal. The Downloader integration does not fully validate file paths during concatenation, leaving a path traversal vulnerability. | ||
| CVE-2025-62172 | Hig | — | >= 2025.1.0, < 2025.10.2 | 2025.10.2 | Oct 14, 2025 | Home Assistant is open source home automation software that puts local control and privacy first. In versions 2025.1.0 through 2025.10.1, the energy dashboard is vulnerable to stored cross-site scripting. An authenticated user can inject malicious JavaScript code into an energy e | |
| CVE-2025-25305 | Hig | 7.0 | < 2024.1.6 | 2024.1.6 | Feb 18, 2025 | Home Assistant Core is an open source home automation that puts local control and privacy first. Affected versions are subject to a potential man-in-the-middle attacks due to missing SSL certificate verification in the project codebase and used third-party libraries. In the past, | |
| CVE-2023-50715 | — | < 2023.12.3 | 2023.12.3 | Dec 15, 2023 | Home Assistant is open source home automation software. Prior to version 2023.12.3, the login page discloses all active user accounts to any unauthenticated browsing request originating on the Local Area Network. Version 2023.12.3 contains a patch for this issue. When starting t | ||
| CVE-2023-41893 | — | < 2023.9.0 | 2023.9.0 | Oct 19, 2023 | Home assistant is an open source home automation. The audit team’s analyses confirmed that the `redirect_uri` and `client_id` are alterable when logging in. Consequently, the code parameter utilized to fetch the `access_token` post-authentication will be sent to the URL specified | ||
| CVE-2018-21019 | — | < 0.67.0 | 0.67.0 | Sep 23, 2019 | Home Assistant before 0.67.0 was vulnerable to an information disclosure that allowed an unauthenticated attacker to read the application's error log via components/api.py. |
- affected >= 2025.02, < 2026.01fixed 2026.01
Home Assistant is open source home automation software that puts local control and privacy first. Starting in version 2025.02 and prior to version 2026.01 the "remaining charge time"-sensor for mobile phones (imported/included from Android Auto it appears) is vulnerable cross-sit
- affected >= 2020.02, < 2026.01fixed 2026.01
Home Assistant is open source home automation software that puts local control and privacy first. Starting in version 2020.02 and prior to version 2026.01, an authenticated party can add a malicious name to their device entity, allowing for Cross-Site Scripting attacks against an
- CVE-2025-65713Dec 23, 2025affected < 2025.8.0fixed 2025.8.0
Home Assistant Core before v2025.8.0 is vulnerable to Directory Traversal. The Downloader integration does not fully validate file paths during concatenation, leaving a path traversal vulnerability.
- affected >= 2025.1.0, < 2025.10.2fixed 2025.10.2
Home Assistant is open source home automation software that puts local control and privacy first. In versions 2025.1.0 through 2025.10.1, the energy dashboard is vulnerable to stored cross-site scripting. An authenticated user can inject malicious JavaScript code into an energy e
- affected < 2024.1.6fixed 2024.1.6
Home Assistant Core is an open source home automation that puts local control and privacy first. Affected versions are subject to a potential man-in-the-middle attacks due to missing SSL certificate verification in the project codebase and used third-party libraries. In the past,
- CVE-2023-50715Dec 15, 2023affected < 2023.12.3fixed 2023.12.3
Home Assistant is open source home automation software. Prior to version 2023.12.3, the login page discloses all active user accounts to any unauthenticated browsing request originating on the Local Area Network. Version 2023.12.3 contains a patch for this issue. When starting t
- CVE-2023-41893Oct 19, 2023affected < 2023.9.0fixed 2023.9.0
Home assistant is an open source home automation. The audit team’s analyses confirmed that the `redirect_uri` and `client_id` are alterable when logging in. Consequently, the code parameter utilized to fetch the `access_token` post-authentication will be sent to the URL specified
- CVE-2018-21019Sep 23, 2019affected < 0.67.0fixed 0.67.0
Home Assistant before 0.67.0 was vulnerable to an information disclosure that allowed an unauthenticated attacker to read the application's error log via components/api.py.