Skip to main content

Home Assistant

11 CVEs product

Monthly

CVE-2026-33044 PyPI HIGH PATCH GHSA This Week

Cross-site scripting in Home Assistant's Map card component allows authenticated users to inject malicious JavaScript through device entity names, executing arbitrary code in victims' browsers when they hover over map information points. Affects Home Assistant versions 2020.02 through 2026.0.x, with fix released in version 2026.01. No public exploit identified at time of analysis, though CVSS E:P indicates proof-of-concept code exists. EPSS data not available, but exploitation requires authenticated access and user interaction (hovering), limiting practical attack surface.

XSS Home Assistant
NVD GitHub VulDB
CVSS 4.0
7.3
EPSS
0.0%
CVE-2023-50715 PyPI MEDIUM POC PATCH This Month

Home Assistant is open source home automation software. Rated medium severity (CVSS 4.3), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Home Assistant
NVD GitHub
CVSS 3.1
4.3
EPSS
0.9%
CVE-2023-41894 MEDIUM This Month

Home assistant is an open source home automation. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Home Assistant
NVD GitHub
CVSS 3.1
5.3
EPSS
0.4%
CVE-2023-41893 PyPI MEDIUM PATCH This Month

Home assistant is an open source home automation. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Home Assistant
NVD GitHub
CVSS 3.1
5.4
EPSS
0.4%
CVE-2023-41899 HIGH This Week

Home assistant is an open source home automation. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF Home Assistant
NVD GitHub
CVSS 3.1
7.2
EPSS
0.5%
CVE-2023-41897 CRITICAL Act Now

Home assistant is an open source home automation. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE XSS Home Assistant
NVD GitHub
CVSS 3.1
9.6
EPSS
0.9%
CVE-2023-41896 CRITICAL Act Now

Home assistant is an open source home automation. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Node.js XSS Home Assistant Home Assistant Js Websocket
NVD GitHub
CVSS 3.1
9.0
EPSS
0.3%
CVE-2023-41895 CRITICAL Act Now

Home assistant is an open source home automation. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Home Assistant
NVD GitHub
CVSS 3.1
9.6
EPSS
0.7%
CVE-2023-27482 CRITICAL POC THREAT Act Now

homeassistant is an open source home automation tool. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python Authentication Bypass Docker Home Assistant Supervisor
NVD GitHub
CVSS 3.1
10.0
EPSS
72.0%
CVE-2021-3152 MEDIUM POC This Month

Home Assistant before 2021.1.3 does not have a protection layer that can help to prevent directory-traversal attacks against custom integrations. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Home Assistant
NVD
CVSS 3.1
5.3
EPSS
2.2%
CVE-2017-16782 MEDIUM PATCH This Month

In Home Assistant before 0.57, it is possible to inject JavaScript code into a persistent notification via crafted Markdown text, aka XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Home Assistant
NVD GitHub
CVSS 3.0
6.1
EPSS
0.3%
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Cross-site scripting in Home Assistant's Map card component allows authenticated users to inject malicious JavaScript through device entity names, executing arbitrary code in victims' browsers when they hover over map information points. Affects Home Assistant versions 2020.02 through 2026.0.x, with fix released in version 2026.01. No public exploit identified at time of analysis, though CVSS E:P indicates proof-of-concept code exists. EPSS data not available, but exploitation requires authenticated access and user interaction (hovering), limiting practical attack surface.

XSS Home Assistant
NVD GitHub VulDB
EPSS 1% CVSS 4.3
MEDIUM POC PATCH This Month

Home Assistant is open source home automation software. Rated medium severity (CVSS 4.3), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Home Assistant
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

Home assistant is an open source home automation. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Home Assistant
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Home assistant is an open source home automation. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Home Assistant
NVD GitHub
EPSS 0% CVSS 7.2
HIGH This Week

Home assistant is an open source home automation. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF Home Assistant
NVD GitHub
EPSS 1% CVSS 9.6
CRITICAL Act Now

Home assistant is an open source home automation. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE XSS Home Assistant
NVD GitHub
EPSS 0% CVSS 9.0
CRITICAL Act Now

Home assistant is an open source home automation. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Node.js XSS Home Assistant +1
NVD GitHub
EPSS 1% CVSS 9.6
CRITICAL Act Now

Home assistant is an open source home automation. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Home Assistant
NVD GitHub
EPSS 72% CVSS 10.0
CRITICAL POC THREAT Act Now

homeassistant is an open source home automation tool. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python Authentication Bypass Docker +2
NVD GitHub
EPSS 2% CVSS 5.3
MEDIUM POC This Month

Home Assistant before 2021.1.3 does not have a protection layer that can help to prevent directory-traversal attacks against custom integrations. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Home Assistant
NVD
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

In Home Assistant before 0.57, it is possible to inject JavaScript code into a persistent notification via crafted Markdown text, aka XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Home Assistant
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy