| CVE-2017-16782 | Med | 0.40 | 6.1 | 0.00 | | Nov 10, 2017 | In Home Assistant before 0.57, it is possible to inject JavaScript code into a persistent notification via crafted Markdown text, aka XSS. |
| CVE-2026-33045 | Med | 0.35 | 5.4 | 0.00 | | Mar 27, 2026 | Home Assistant is open source home automation software that puts local control and privacy first. Starting in version 2025.02 and prior to version 2026.01 the "remaining charge time"-sensor for mobile phones (imported/included from Android Auto it appears) is vulnerable cross-site scripting, similar to CVE-2025-62172. Version 2026.01 fixes the issue. |
| CVE-2026-33044 | Med | 0.35 | 5.4 | 0.00 | | Mar 27, 2026 | Home Assistant is open source home automation software that puts local control and privacy first. Starting in version 2020.02 and prior to version 2026.01, an authenticated party can add a malicious name to their device entity, allowing for Cross-Site Scripting attacks against anyone who can see a dashboard with a Map-card which includes that entity. It requires that the victim hovers over an information point. Version 2026.01 fixes the issue. |
| CVE-2025-65713 | | 0.00 | — | 0.00 | | Dec 23, 2025 | Home Assistant Core before v2025.8.0 is vulnerable to Directory Traversal. The Downloader integration does not fully validate file paths during concatenation, leaving a path traversal vulnerability. |
