Information on Home Assistant's security policies and guidelines can be found on our website:
Security: home-assistant/core
Security
SECURITY.md
-
Konnected alarm-panel switch state and zone topology disclosed to unauthenticated actors on the LANGHSA-x84v-g949-293w published
Jun 18, 2026 by MartinHjelmareHigh -
Exported BroadcastReceiver allows local apps to spoof device locationGHSA-77r5-pw5w-mgj3 published
Jun 17, 2026 by MartinHjelmareHigh -
Cross-origin iframe access token exfiltration via WebView JS bridge callback injectionGHSA-7jp2-p2fw-mgvf published
May 11, 2026 by MartinHjelmareHigh -
Unauthenticated app (add-on) endpoints exposed to local network via host network modeGHSA-gh5m-4m97-c95h published
Mar 27, 2026 by agnersCritical -
Stored XSS in history-graphsGHSA-46j8-vpx8-6p72 published
Mar 27, 2026 by bramkragtenModerate -
Stored XSS in Map-card through malicious device nameGHSA-r584-6283-p7xc published
Mar 27, 2026 by bramkragtenModerate -
Stored XSS in graph tooltip from entity nameGHSA-mq77-rv97-285m published
Oct 14, 2025 by bramkragtenHigh -
SSL validation for outgoing requests in core and used libs not correctGHSA-m3pm-rpgg-5wj6 published
Feb 18, 2025 by MartinHjelmareHigh -
User accounts disclosed to unauthenticated actors on the LANGHSA-jqpc-rc7g-vf83 published
Dec 14, 2023 by frenckModerate -
Account takeover via auth_callback loginGHSA-qhhj-7hrc-gqj5 published
Oct 19, 2023 by frenckLow
Learn more about advisories related to home-assistant/core in the GitHub Advisory Database