Security

Report a vulnerability

SECURITY.md

Security Policy

Information on Home Assistant's security policies and guidelines can be found on our website:

https://www.home-assistant.io/security

Unauthenticated app (add-on) endpoints exposed to local network via host network mode
GHSA-gh5m-4m97-c95h published Mar 27, 2026 by agners

Critical
Stored XSS in history-graphs
GHSA-46j8-vpx8-6p72 published Mar 27, 2026 by bramkragten

Moderate
Stored XSS in Map-card through malicious device name
GHSA-r584-6283-p7xc published Mar 27, 2026 by bramkragten

Moderate
Stored XSS in graph tooltip from entity name
GHSA-mq77-rv97-285m published Oct 14, 2025 by bramkragten

High
SSL validation for outgoing requests in core and used libs not correct
GHSA-m3pm-rpgg-5wj6 published Feb 18, 2025 by MartinHjelmare

High
User accounts disclosed to unauthenticated actors on the LAN
GHSA-jqpc-rc7g-vf83 published Dec 14, 2023 by frenck

Moderate
Account takeover via auth_callback login
GHSA-qhhj-7hrc-gqj5 published Oct 19, 2023 by frenck

Low
Full takeover via javascript URI in auth_callback login
GHSA-jvxq-x42r-f7mv published Oct 19, 2023 by frenck

Critical
Local-only webhooks externally accessible via SniTun
GHSA-wx3j-3v2j-rf45 published Oct 19, 2023 by frenck

Low
Fake WS server installation permits full takeover
GHSA-cr83-q7r2-7f5q published Oct 19, 2023 by frenck

Critical

Learn more about advisories related to home-assistant/core in the GitHub Advisory Database