Home-Assistant Core vulnerabilities
17 known vulnerabilities affecting home-assistant/core.
Total CVEs
17
CISA KEV
0
Public exploits
1
Exploited in wild
1
Severity breakdown
CRITICAL4HIGH9MEDIUM4
Vulnerabilities
Page 1 of 1
CVE-2023-27482P1CRITICALCVSS 10.0ExploitedPoCfixed in 2023.3.22023-03-08
CVE-2023-27482 [CRITICAL] CWE-287 CVE-2023-27482: homeassistant is an open source home automation tool. A remotely exploitable vulnerability bypassing
homeassistant is an open source home automation tool. A remotely exploitable vulnerability bypassing authentication for accessing the Supervisor API through Home Assistant has been discovered. This impacts all Home Assistant installation types that use the Supervisor 2023.01.1 or older. Installation types, like Home Assistant Container (for exampl
nvd
CVE-2023-41897P3CRITICALCVSS 9.6fixed in 2023.9.02023-10-19
CVE-2023-41897 [CRITICAL] CWE-1021 CVE-2023-41897: Home assistant is an open source home automation. Home Assistant server does not set any HTTP securi
Home assistant is an open source home automation. Home Assistant server does not set any HTTP security headers, including the X-Frame-Options header, which specifies whether the web page is allowed to be framed. The omission of this and correlating headers facilitates covert clickjacking attacks and alternative exploit opportunities, such as the
nvd
CVE-2023-44385P3HIGHCVSS 8.8fixed in 2023.72023-10-19
CVE-2023-44385 [HIGH] CWE-352 CVE-2023-44385: The Home Assistant Companion for iOS and macOS app up to version 2023.4 are vulnerable to Client-Sid
The Home Assistant Companion for iOS and macOS app up to version 2023.4 are vulnerable to Client-Side Request Forgery. Attackers may send malicious links/QRs to victims that, when visited, will make the victim to call arbitrary services in their Home Assistant installation. Combined with this security advisory, may result in full compromise and remote
nvd
CVE-2026-54317P3HIGHCVSS 7.6fixed in 2026.6.02026-06-23
CVE-2026-54317 [HIGH] CWE-200 CVE-2026-54317: Home Assistant is open source home automation software that puts local control and privacy first. Pr
Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2026.6.0, the Konnected integration registers an HTTP endpoint, KonnectedView (homeassistant/components/konnected/__init__.py), that is marked as not requiring authentication (requires_auth = False). A comment next to that line says auth is inste
nvd
CVE-2025-62172P3HIGHCVSS 8.5v>= 2025.02, < 2026.012025-10-14
CVE-2025-62172 [HIGH] CWE-79 CVE-2025-62172: Home Assistant is open source home automation software that puts local control and privacy first. In
Home Assistant is open source home automation software that puts local control and privacy first. In versions 2025.1.0 through 2025.10.1, the energy dashboard is vulnerable to stored cross-site scripting. An authenticated user can inject malicious JavaScript code into an energy entity's name field, which is then executed when any user hovers over data
nvd
CVE-2023-41895P3CRITICALCVSS 9.6fixed in 2023.9.02023-10-19
CVE-2023-41895 [CRITICAL] CWE-79 CVE-2023-41895: Home assistant is an open source home automation. The Home Assistant login page allows users to use
Home assistant is an open source home automation. The Home Assistant login page allows users to use their local Home Assistant credentials and log in to another website that specifies the `redirect_uri` and `client_id` parameters. Although the `redirect_uri` validation typically ensures that it matches the `client_id` and the scheme represents eithe
nvd
CVE-2023-41896P3CRITICALCVSS 9.0vHome Assistant Core : < 2023.8.0vhome-assistant-js-websocket: < 8.2.02023-10-19
CVE-2023-41896 [CRITICAL] CWE-345 CVE-2023-41896: Home assistant is an open source home automation. Whilst auditing the frontend code to identify hidd
Home assistant is an open source home automation. Whilst auditing the frontend code to identify hidden parameters, Cure53 detected `auth_callback=1`, which is leveraged by the WebSocket authentication logic in tandem with the `state` parameter. The state parameter contains the `hassUrl`, which is subsequently utilized to establish a WebSocket conn
nvd
CVE-2023-41899P3HIGHCVSS 7.2fixed in 2023.9.02023-10-19
CVE-2023-41899 [HIGH] CWE-918 CVE-2023-41899: Home assistant is an open source home automation. In affected versions the `hassio.addon_stdin` is v
Home assistant is an open source home automation. In affected versions the `hassio.addon_stdin` is vulnerable to a partial Server-Side Request Forgery where an attacker capable of calling this service (e.g.: through GHSA-h2jp-7grc-9xpp) may be able to invoke any Supervisor REST API endpoints with a POST request. An attacker able to exploit will be abl
nvd
CVE-2026-44698P3HIGHCVSS 8.3fixed in 2026.4.42026-05-29
CVE-2026-44698 [HIGH] CWE-94 CVE-2026-44698: Home Assistant is open source home automation software that puts local control and privacy first. Pr
Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2026.4.1 for iOS and 2026.4.4 for Android, he Home Assistant Companion apps for Android and iOS expose a JavaScript bridge to the in-app WebView window.externalApp on Android and webkit.messageHandlers.getExternalAuth (alongside revokeExternalAuth
nvd
CVE-2026-55844P3HIGHCVSS 7.5fixed in 2025.5.02026-06-29
CVE-2026-55844 [HIGH] CWE-319 CVE-2026-55844: Home Assistant is open source home automation software that puts local control and privacy first. Pr
Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2025.5.0, The iOS companion app ignores the SSID allowlist for internal networks. The app uses SSID to detect when to use the internal URL, but whenever the app cannot find any other URL to be used, it fallbacks to the internal URL as well, which
nvd
CVE-2023-41898P3HIGHCVSS 7.8fixed in 2023.9.22023-10-19
CVE-2023-41898 [HIGH] CWE-94 CVE-2023-41898: Home assistant is an open source home automation. The Home Assistant Companion for Android app up to
Home assistant is an open source home automation. The Home Assistant Companion for Android app up to version 2023.8.2 is vulnerable to arbitrary URL loading in a WebView. This enables all sorts of attacks, including arbitrary JavaScript execution, limited native code execution, and credential theft. This issue has been patched in version 2023.9.2 and a
nvd
CVE-2025-25305P3HIGHCVSS 7.0fixed in 2024.1.62025-02-18
CVE-2025-25305 [HIGH] CWE-940 CVE-2025-25305: Home Assistant Core is an open source home automation that puts local control and privacy first. Aff
Home Assistant Core is an open source home automation that puts local control and privacy first. Affected versions are subject to a potential man-in-the-middle attacks due to missing SSL certificate verification in the project codebase and used third-party libraries. In the past, `aiohttp-session`/`request` had the parameter `verify_ssl` to control SS
nvd
CVE-2026-54318P4HIGHCVSS 7.1fixed in 2026.5.32026-06-23
CVE-2026-54318 [HIGH] CWE-926 CVE-2026-54318: Home Assistant is open source home automation software that puts local control and privacy first. Pr
Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2026.5.3, the LocationSensorManager BroadcastReceiver is exported with no permission. Any installed app, with zero runtime permissions, can broadcast a forged Google Play Services LocationResult directly to it; the receiver trusts the extra and f
nvd
CVE-2023-41893P4MEDIUMCVSS 5.4fixed in 2023.9.02023-10-20
CVE-2023-41893 [MEDIUM] CWE-200 CVE-2023-41893: Home assistant is an open source home automation. The audit team’s analyses confirmed that the `redi
Home assistant is an open source home automation. The audit team’s analyses confirmed that the `redirect_uri` and `client_id` are alterable when logging in. Consequently, the code parameter utilized to fetch the `access_token` post-authentication will be sent to the URL specified in the aforementioned parameters. Since an arbitrary URL is permitted
nvd
CVE-2023-41894P4MEDIUMCVSS 5.3fixed in 2023.9.02023-10-20
CVE-2023-41894 [MEDIUM] CWE-669 CVE-2023-41894: Home assistant is an open source home automation. The assessment verified that webhooks available in
Home assistant is an open source home automation. The assessment verified that webhooks available in the webhook component are triggerable via the `*.ui.nabu.casa` URL without authentication, even when the webhook is marked as Only accessible from the local network. This issue is facilitated by the SniTun proxy, which sets the source address to 127.
nvd
CVE-2026-33044P4MEDIUMCVSS 5.4v>= 2020.02, < 2026.012026-03-27
CVE-2026-33044 [MEDIUM] CWE-79 CVE-2026-33044: Home Assistant is open source home automation software that puts local control and privacy first. St
Home Assistant is open source home automation software that puts local control and privacy first. Starting in version 2020.02 and prior to version 2026.01, an authenticated party can add a malicious name to their device entity, allowing for Cross-Site Scripting attacks against anyone who can see a dashboard with a Map-card which includes that entity.
nvd
CVE-2023-50715P4MEDIUMCVSS 4.3fixed in 2023.12.32023-12-15
CVE-2023-50715 [MEDIUM] CWE-200 CVE-2023-50715: Home Assistant is open source home automation software. Prior to version 2023.12.3, the login page d
Home Assistant is open source home automation software. Prior to version 2023.12.3, the login page discloses all active user accounts to any unauthenticated browsing request originating on the Local Area Network. Version 2023.12.3 contains a patch for this issue.
When starting the Home Assistant 2023.12 release, the login page returns all currently
nvd