VYPR

PyPI package

homeassistant

pkg:pypi/homeassistant

Vulnerabilities (8)

  • CVE-2026-33045MedMar 27, 2026
    affected >= 2025.02, < 2026.01fixed 2026.01

    Home Assistant is open source home automation software that puts local control and privacy first. Starting in version 2025.02 and prior to version 2026.01 the "remaining charge time"-sensor for mobile phones (imported/included from Android Auto it appears) is vulnerable cross-sit

  • CVE-2026-33044MedMar 27, 2026
    affected >= 2020.02, < 2026.01fixed 2026.01

    Home Assistant is open source home automation software that puts local control and privacy first. Starting in version 2020.02 and prior to version 2026.01, an authenticated party can add a malicious name to their device entity, allowing for Cross-Site Scripting attacks against an

  • CVE-2025-65713Dec 23, 2025
    affected < 2025.8.0fixed 2025.8.0

    Home Assistant Core before v2025.8.0 is vulnerable to Directory Traversal. The Downloader integration does not fully validate file paths during concatenation, leaving a path traversal vulnerability.

  • CVE-2025-62172HigOct 14, 2025
    affected >= 2025.1.0, < 2025.10.2fixed 2025.10.2

    Home Assistant is open source home automation software that puts local control and privacy first. In versions 2025.1.0 through 2025.10.1, the energy dashboard is vulnerable to stored cross-site scripting. An authenticated user can inject malicious JavaScript code into an energy e

  • CVE-2025-25305HigFeb 18, 2025
    affected < 2024.1.6fixed 2024.1.6

    Home Assistant Core is an open source home automation that puts local control and privacy first. Affected versions are subject to a potential man-in-the-middle attacks due to missing SSL certificate verification in the project codebase and used third-party libraries. In the past,

  • CVE-2023-50715Dec 15, 2023
    affected < 2023.12.3fixed 2023.12.3

    Home Assistant is open source home automation software. Prior to version 2023.12.3, the login page discloses all active user accounts to any unauthenticated browsing request originating on the Local Area Network. Version 2023.12.3 contains a patch for this issue. When starting t

  • CVE-2023-41893Oct 19, 2023
    affected < 2023.9.0fixed 2023.9.0

    Home assistant is an open source home automation. The audit team’s analyses confirmed that the `redirect_uri` and `client_id` are alterable when logging in. Consequently, the code parameter utilized to fetch the `access_token` post-authentication will be sent to the URL specified

  • CVE-2018-21019Sep 23, 2019
    affected < 0.67.0fixed 0.67.0

    Home Assistant before 0.67.0 was vulnerable to an information disclosure that allowed an unauthenticated attacker to read the application's error log via components/api.py.