CVE-2025-62172
published 2025-10-14CVE-2025-62172: Home Assistant is open source home automation software that puts local control and privacy first. In versions 2025.1.0 through 2025.10.1, the energy dashboard…
PriorityP346high8.5CVSS 4.0
AVNACLATNPRLUIAVCHVIHVAHSCHSIHSAHEPCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.52%
40.2th percentile
Home Assistant is open source home automation software that puts local control and privacy first. In versions 2025.1.0 through 2025.10.1, the energy dashboard is vulnerable to stored cross-site scripting. An authenticated user can inject malicious JavaScript code into an energy entity's name field, which is then executed when any user hovers over data points in the energy dashboard graph tooltips. The vulnerability exists because entity names containing HTML are not properly sanitized before being rendered in graph tooltips. This could allow an attacker with authentication to execute arbitrary JavaScript in the context of other users' sessions. Additionally, if an energy provider (such as Tibber) supplies a malicious default name for an entity, the vulnerability can be exploited without direct user action when the default name is used. This issue has been patched in version 2025.10.2. No known workarounds exist.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| home-assistant | core | — | — |
| home-assistant | home-assistant | >= 2025.2.0 < 2026.1.0 | 2026.1.0 |
CVSS provenance
nvdv4.08.5HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
ghsa8.5HIGH
osv8.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Home Assistant has stored XSS in Map-card through malicious device name
ghsa·2026-03-27·CVSS 8.5
CVE-2026-33044 [HIGH] CWE-79 Home Assistant has stored XSS in Map-card through malicious device name
Home Assistant has stored XSS in Map-card through malicious device name
### Summary
An authenticated party can add a malicious name to their device entity, allowing for Cross-Site Scripting attacks against anyone who can see a dashboard with a Map-card which includes that entity. It requires that the victim hovers over an information point (The lines or the dots representing that device's movement, as shown in the screenshot below, with the example showing a html-injection using `` to strikethrough the text)
This allows an authenticated user to execute JavaScript in the context of any other users accessing a dashboard.
### Details
The vulnerability exists in the map-card by adding a malicious entity and having the property `hours_to_show` set.
See example below, with the malicious ent
OSV
Home Assistant has stored XSS in history-graphs
osv·2026-03-27·CVSS 8.5
CVE-2026-33045 [HIGH] Home Assistant has stored XSS in history-graphs
Home Assistant has stored XSS in history-graphs
### Summary
The "remaining charge time"-sensor for mobile phones (imported/included from Android Auto it appears) is vulnerable to the same issue as CVE-2025-62172.
This also indicates that any sensor showing their name in the history-graph, is likely to be vulnerable to this issue.
### Details
Another entity was found which displays the same behavior as in this issue: [CVE-2025-62172](https://github.com/home-assistant/core/security/advisories/GHSA-mq77-rv97-285m)
The History-graph card will sometimes display the name of the entity it is displaying, when the graph is shown as a line with values on the x and y axis. This appears to be vulnerable to Cross-Site scripting (_XSS_) as it does not have any output escaping or sanitization.
The
OSV
Home Assistant has stored XSS in Map-card through malicious device name
osv·2026-03-27·CVSS 8.5
CVE-2026-33044 [HIGH] Home Assistant has stored XSS in Map-card through malicious device name
Home Assistant has stored XSS in Map-card through malicious device name
### Summary
An authenticated party can add a malicious name to their device entity, allowing for Cross-Site Scripting attacks against anyone who can see a dashboard with a Map-card which includes that entity. It requires that the victim hovers over an information point (The lines or the dots representing that device's movement, as shown in the screenshot below, with the example showing a html-injection using `` to strikethrough the text)
This allows an authenticated user to execute JavaScript in the context of any other users accessing a dashboard.
### Details
The vulnerability exists in the map-card by adding a malicious entity and having the property `hours_to_show` set.
See example below, with the malicious ent
GHSA
Home Assistant has stored XSS in history-graphs
ghsa·2026-03-27·CVSS 8.5
CVE-2026-33045 [HIGH] CWE-79 Home Assistant has stored XSS in history-graphs
Home Assistant has stored XSS in history-graphs
### Summary
The "remaining charge time"-sensor for mobile phones (imported/included from Android Auto it appears) is vulnerable to the same issue as CVE-2025-62172.
This also indicates that any sensor showing their name in the history-graph, is likely to be vulnerable to this issue.
### Details
Another entity was found which displays the same behavior as in this issue: [CVE-2025-62172](https://github.com/home-assistant/core/security/advisories/GHSA-mq77-rv97-285m)
The History-graph card will sometimes display the name of the entity it is displaying, when the graph is shown as a line with values on the x and y axis. This appears to be vulnerable to Cross-Site scripting (_XSS_) as it does not have any output escaping or sanitization.
The
OSV
Home Assistant has Stored XSS vulnerability in Energy dashboard from Energy Entity Name
osv·2025-10-14
CVE-2025-62172 [HIGH] Home Assistant has Stored XSS vulnerability in Energy dashboard from Energy Entity Name
Home Assistant has Stored XSS vulnerability in Energy dashboard from Energy Entity Name
### Summary
An authenticated party can add a malicious name to the Energy entity, allowing for Cross-Site Scripting attacks against anyone who can see the Energy dashboard, when they hover over any information point (The blue bar in the picture below)
An alternative, and more impactful scenario, is that the entity gets a malicious name from the provider of the Entity (in this case the energy provider: Tibber), and gets exploited that way, through the default name.
### Details
The incriminating entity in my scenario is from the Tibber integration, as shown in the screenshot below:
The exploit should be possible regardless of the Energy integration, as the user can name the entity themselves and as
GHSA
Home Assistant has Stored XSS vulnerability in Energy dashboard from Energy Entity Name
ghsa·2025-10-14
CVE-2025-62172 [HIGH] CWE-79 Home Assistant has Stored XSS vulnerability in Energy dashboard from Energy Entity Name
Home Assistant has Stored XSS vulnerability in Energy dashboard from Energy Entity Name
### Summary
An authenticated party can add a malicious name to the Energy entity, allowing for Cross-Site Scripting attacks against anyone who can see the Energy dashboard, when they hover over any information point (The blue bar in the picture below)
An alternative, and more impactful scenario, is that the entity gets a malicious name from the provider of the Entity (in this case the energy provider: Tibber), and gets exploited that way, through the default name.
### Details
The incriminating entity in my scenario is from the Tibber integration, as shown in the screenshot below:
The exploit should be possible regardless of the Energy integration, as the user can name the entity themselves and as
No detection rules found.
No public exploits indexed.
2025-10-14
Published