Information on Home Assistant's security policies and guidelines can be found on our website:
Security: home-assistant/core
Security
SECURITY.md
-
User accounts disclosed to unauthenticated actors on the LANGHSA-jqpc-rc7g-vf83 published
Dec 14, 2023 by frenckModerate -
Account takeover via auth_callback loginGHSA-qhhj-7hrc-gqj5 published
Oct 19, 2023 by frenckLow -
Full takeover via javascript URI in auth_callback loginGHSA-jvxq-x42r-f7mv published
Oct 19, 2023 by frenckCritical -
Local-only webhooks externally accessible via SniTunGHSA-wx3j-3v2j-rf45 published
Oct 19, 2023 by frenckLow -
Fake WS server installation permits full takeoverGHSA-cr83-q7r2-7f5q published
Oct 19, 2023 by frenckCritical -
Lack of XFO header allows clickjackingGHSA-935v-rmg9-44mw published
Oct 19, 2023 by frenckCritical -
Actions expression injection in `helpers/version/action.yml`GHSA-jff5-5j3g-vhqc published
Oct 19, 2023 by frenckLow -
Arbitrary URL load in Android WebView in `MyActivity.kt`GHSA-jvpm-q3hq-86rg published
Oct 19, 2023 by frenckHigh -
Partial Server-Side Request Forgery in CoreGHSA-4r74-h49q-rr3h published
Oct 19, 2023 by frenckLow -
Client-Side Request Forgery in iOS/macOS native AppsGHSA-h2jp-7grc-9xpp published
Oct 19, 2023 by frenckHigh
Learn more about advisories related to home-assistant/core in the GitHub Advisory Database