VYPR
Vendor

Jpettitt

Products
10
CVEs
25
Across products
35
Status
Private

Products

10

Recent CVEs

25
View all 25 CVEs →
  • CVE-2023-27482CriMar 8, 2023
    risk 0.71cvss 10.0epss 0.72

    homeassistant is an open source home automation tool. A remotely exploitable vulnerability bypassing authentication for accessing the Supervisor API through Home Assistant has been discovered. This impacts all Home Assistant installation types that use the Supervisor 2023.01.1…

  • CVE-2026-45323CriMay 28, 2026
    risk 0.62cvss 9.6epss 0.00

    MeshCore Card provides MeshCore Lovelace card for Home Assistant. Prior to 0.3.3, Meshcore node names are rendered without HTML escaping in meshcore-card, allowing any node within direct or indirect (repeated) radio range to execute arbitrary javascript in the Home Assistant…

  • CVE-2023-41897HigOct 19, 2023
    risk 0.57cvss 8.8epss 0.01

    Home assistant is an open source home automation. Home Assistant server does not set any HTTP security headers, including the X-Frame-Options header, which specifies whether the web page is allowed to be framed. The omission of this and correlating headers facilitates covert…

  • CVE-2023-41895HigOct 19, 2023
    risk 0.57cvss 8.8epss 0.01

    Home assistant is an open source home automation. The Home Assistant login page allows users to use their local Home Assistant credentials and log in to another website that specifies the `redirect_uri` and `client_id` parameters. Although the `redirect_uri` validation typically…

  • CVE-2023-44385HigOct 19, 2023
    risk 0.56cvss 8.6epss 0.00

    The Home Assistant Companion for iOS and macOS app up to version 2023.4 are vulnerable to Client-Side Request Forgery. Attackers may send malicious links/QRs to victims that, when visited, will make the victim to call arbitrary services in their Home Assistant installation.…

  • CVE-2023-41898HigOct 19, 2023
    risk 0.56cvss 8.6epss 0.00

    Home assistant is an open source home automation. The Home Assistant Companion for Android app up to version 2023.8.2 is vulnerable to arbitrary URL loading in a WebView. This enables all sorts of attacks, including arbitrary JavaScript execution, limited native code execution,…

  • CVE-2025-62172HigOct 14, 2025
    risk 0.55cvss epss 0.01

    Home Assistant is open source home automation software that puts local control and privacy first. In versions 2025.1.0 through 2025.10.1, the energy dashboard is vulnerable to stored cross-site scripting. An authenticated user can inject malicious JavaScript code into an energy…

  • CVE-2026-41489HigMay 11, 2026
    risk 0.50cvss 8.8epss 0.00

    Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. From 6.0 to before Core 6.4.2 and FTL 6.6.1, two shell scripts executed as root by systemd (pihole-FTL-prestart.sh and pihole-FTL-poststop.sh) read the files.pid…

  • CVE-2026-44698HigMay 29, 2026
    risk 0.47cvss 8.3epss 0.00

    Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2026.4.1 for iOS and 2026.4.4 for Android, he Home Assistant Companion apps for Android and iOS expose a JavaScript bridge to the in-app WebView window.externalApp on…

  • CVE-2023-41896HigOct 19, 2023
    risk 0.46cvss 7.1epss 0.00

    Home assistant is an open source home automation. Whilst auditing the frontend code to identify hidden parameters, Cure53 detected `auth_callback=1`, which is leveraged by the WebSocket authentication logic in tandem with the `state` parameter. The state parameter contains the…

  • CVE-2026-54317higJun 19, 2026
    risk 0.45cvss epss 0.00

    ### Summary The Konnected integration registers an HTTP endpoint, `KonnectedView` (`homeassistant/components/konnected/__init__.py`), that is marked as **not requiring authentication** (`requires_auth = False`). A comment next to that line says auth is instead handled "via the…

  • CVE-2023-41899MedOct 19, 2023
    risk 0.43cvss 6.6epss 0.00

    Home assistant is an open source home automation. In affected versions the `hassio.addon_stdin` is vulnerable to a partial Server-Side Request Forgery where an attacker capable of calling this service (e.g.: through GHSA-h2jp-7grc-9xpp) may be able to invoke any Supervisor REST…

  • CVE-2020-36517HigMar 10, 2022
    risk 0.42cvss 7.5epss 0.03

    An information leak in Nabu Casa Home Assistant Operating System and Home Assistant Supervised 2022.03 allows a DNS operator to gain knowledge about internal network resources via the hardcoded DNS resolver configuration.

  • CVE-2017-16782MedNov 10, 2017
    risk 0.40cvss 6.1epss 0.01

    In Home Assistant before 0.57, it is possible to inject JavaScript code into a persistent notification via crafted Markdown text, aka XSS.

  • CVE-2025-25305HigFeb 18, 2025
    risk 0.39cvss 7.0epss 0.00

    Home Assistant Core is an open source home automation that puts local control and privacy first. Affected versions are subject to a potential man-in-the-middle attacks due to missing SSL certificate verification in the project codebase and used third-party libraries. In the…

  • CVE-2021-3152MedJan 26, 2021
    risk 0.35cvss 5.3epss 0.02

    Home Assistant before 2021.1.3 does not have a protection layer that can help to prevent directory-traversal attacks against custom integrations. NOTE: the vendor's perspective is that the vulnerability itself is in custom integrations written by third parties, not in Home…

  • CVE-2023-41894MedOct 20, 2023
    risk 0.34cvss 5.3epss 0.00

    Home assistant is an open source home automation. The assessment verified that webhooks available in the webhook component are triggerable via the `*.ui.nabu.casa` URL without authentication, even when the webhook is marked as Only accessible from the local network. This issue…

  • CVE-2026-40602MedApr 21, 2026
    risk 0.29cvss 5.6epss 0.00

    The Home Assistant Command-line interface (hass-cli) is a command-line tool for Home Assistant. Up to 1.0.0 of home-assitant-cli an unrestricted environment was used to handle Jninja2 templates instead of a sandboxed one. The user-supplied input within Jinja2 templates was…

  • CVE-2026-33045MedMar 27, 2026
    risk 0.28cvss 5.4epss 0.00

    Home Assistant is open source home automation software that puts local control and privacy first. Starting in version 2025.02 and prior to version 2026.01 the "remaining charge time"-sensor for mobile phones (imported/included from Android Auto it appears) is vulnerable…

  • CVE-2026-33044MedMar 27, 2026
    risk 0.28cvss 5.4epss 0.00

    Home Assistant is open source home automation software that puts local control and privacy first. Starting in version 2020.02 and prior to version 2026.01, an authenticated party can add a malicious name to their device entity, allowing for Cross-Site Scripting attacks against…