{"url":"http://public2.vulnerablecode.io/api/packages/854600?format=json","purl":"pkg:pypi/homeassistant@2025.8.2","type":"pypi","namespace":"","name":"homeassistant","version":"2025.8.2","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"2026.1.0","latest_non_vulnerable_version":"2026.1.0","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/22581?format=json","vulnerability_id":"VCID-1thd-8cw5-yfg3","summary":"Home Assistant has stored XSS in Map-card through malicious device name\n### Summary\nAn authenticated party can add a malicious name to their device entity, allowing for Cross-Site Scripting attacks against anyone who can see a dashboard with a Map-card which includes that entity. It requires that the victim hovers over an information point (The lines or the dots representing that device's movement, as shown in the screenshot below, with the example showing a html-injection using `<s>` to strikethrough the text)\n<img width=\"348\" height=\"355\" alt=\"image\" src=\"https://github.com/user-attachments/assets/1af3ef33-3a72-4816-8ade-e6405aace176\" />\n\nThis allows an authenticated user to execute JavaScript in the context of any other users accessing a dashboard.\n\n### Details\n\nThe vulnerability exists in the map-card by adding a malicious entity and having the property `hours_to_show` set.\nSee example below, with the malicious entity being `Pixel 9 <s> Fold Robin {{7*7}}`:\nMap card with malicious device entity:\n<img width=\"338\" height=\"332\" alt=\"image\" src=\"https://github.com/user-attachments/assets/15229cc3-1b69-438c-9ee5-cbfa9483aec9\" />\n\nYAML-view of same card:\n<img width=\"338\" height=\"198\" alt=\"image\" src=\"https://github.com/user-attachments/assets/cd579266-75c3-4cdf-9d08-1544a6887feb\" />\n\n\nThis issue largely resembles the issue documented in: [CVE-2025-62172](https://github.com/home-assistant/core/security/advisories/GHSA-mq77-rv97-285m), but with an entity which can be displayed in a Map, instead of in an energy-dashboard.\n\n\n### PoC\n1. Register a new sensor (or device) or change the name of an existing one, which provides a location\n2. Change the name to something malicious, for example `test <img src=x onerror=alert(document.domain) />`\nFor a new entity, it should work when setting the name. For old entities, go here:\n<img width=\"1300\" height=\"411\" alt=\"image\" src=\"https://github.com/user-attachments/assets/d240549e-f26c-4617-89d7-5480451ae5a3\" />\n<img width=\"1383\" height=\"885\" alt=\"image\" src=\"https://github.com/user-attachments/assets/94db6186-ad54-476c-92a3-9f6870b0c862\" />\n<img width=\"387\" height=\"436\" alt=\"image\" src=\"https://github.com/user-attachments/assets/f4c4b9f6-b1e7-4b50-9012-3be31c617be4\" />\n<br>\n<img width=\"392\" height=\"515\" alt=\"image\" src=\"https://github.com/user-attachments/assets/a0f24d2f-cc18-4ef7-9071-40376dbb38c1\" />\n\n3. Add the entity to a map card, which has the \"hours to show\"-attribute set, to display movement history\n<img width=\"296\" height=\"383\" alt=\"image\" src=\"https://github.com/user-attachments/assets/b2db55b6-3d4b-4ab0-91fe-fc26813ad5ff\" />\n<img width=\"692\" height=\"410\" alt=\"image\" src=\"https://github.com/user-attachments/assets/aec15e07-12c0-4abf-ba73-979736131c7c\" />\n\n<img width=\"694\" height=\"302\" alt=\"image\" src=\"https://github.com/user-attachments/assets/e4bb7cac-fe85-41eb-963c-1743e78d937c\" />\n\n(The left arrow showing the custom setting, and the right arrow showing a data point which needs to be hovered)\n\n4. The payload executes when hovering a data-point (here shown with an \"alert(document.domain\"-payload)\n<img width=\"504\" height=\"118\" alt=\"image\" src=\"https://github.com/user-attachments/assets/9f24e1fe-949f-4fa5-9e4f-781828a1343b\" />\n\n### Impact\nThe impact of this vulnerability is that a user can target other users of the system and perform account takeover through client side exploitation of XSS.\n\nIn the context of this system, I believe the vulnerability to be less impactful than the CVSS metric describes, as it requires a specific setup (map-card with attribute `hours_to_show` set, as this brings up the trail). It is interesting to note that any user who sets this attribute, will be highly likely to trigger the vulnerability through normal use. It also has no potential for being imported through seemingly innocent integrations and can only be set explicitly by another invited user, a device name, a cloud service or through social engineering. Other devices which has the same sensor can trigger the same vulnerability, and I expect there to exists cloud-based devices that would enable a threat actor to deliver the payload remotely.\n\nSuggested criticality: **Medium**\n\nCredit: Robin Lunde - [https://robinlunde.com](https://robinlunde.com)","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33044","reference_id":"","reference_type":"","scores":[{"value":"0.00019","scoring_system":"epss","scoring_elements":"0.05368","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33044"},{"reference_url":"https://github.com/home-assistant/core","reference_id":"","reference_type":"","scores":[{"value":"1.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/home-assistant/core"},{"reference_url":"https://github.com/home-assistant/core/security/advisories/GHSA-r584-6283-p7xc","reference_id":"","reference_type":"","scores":[{"value":"1.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-01T03:55:26Z/"}],"url":"https://github.com/home-assistant/core/security/advisories/GHSA-r584-6283-p7xc"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33044","reference_id":"","reference_type":"","scores":[{"value":"1.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33044"},{"reference_url":"https://github.com/advisories/GHSA-r584-6283-p7xc","reference_id":"GHSA-r584-6283-p7xc","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-r584-6283-p7xc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/57553?format=json","purl":"pkg:pypi/homeassistant@2026.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/homeassistant@2026.1"},{"url":"http://public2.vulnerablecode.io/api/packages/963613?format=json","purl":"pkg:pypi/homeassistant@2026.1.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/homeassistant@2026.1.0"}],"aliases":["CVE-2026-33044","GHSA-r584-6283-p7xc"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1thd-8cw5-yfg3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/22150?format=json","vulnerability_id":"VCID-8xpy-65hq-dud9","summary":"Home Assistant has stored XSS in history-graphs\n### Summary\nThe \"remaining charge time\"-sensor for mobile phones (imported/included from Android Auto it appears) is vulnerable to the same issue as CVE-2025-62172.\n<img width=\"431\" height=\"334\" alt=\"image\" src=\"https://github.com/user-attachments/assets/84e0dfad-b986-4e84-ad0e-674c5da88582\" />\nThis also indicates that any sensor showing their name in the history-graph, is likely to be vulnerable to this issue.\n\n### Details\n\nAnother entity was found which displays the same behavior as in this issue: [CVE-2025-62172](https://github.com/home-assistant/core/security/advisories/GHSA-mq77-rv97-285m)\n\n\nThe History-graph card will sometimes display the name of the entity it is displaying, when the graph is shown as a line with values on the x and y axis. This appears to be vulnerable to Cross-Site scripting (_XSS_) as it does not have any output escaping or sanitization.\n\nThe PoC in this instance only shows HTML-injection in the form of the `<s>` -tag being rendered as strike through, but the vulnerability also allows for injecting arbitrary tags which execute JavaScript, like the example given in the PoC description below.\n\n\n### PoC\n1. Register a new sensor (or device) or change the name of an existing one, which provides a location\n2. Change the name to something malicious, for example `test <img src=x onerror=alert(document.domain) />`\n    For a new entity, it should work when setting the name. For old entities, go here:\n<img width=\"1300\" height=\"411\" alt=\"image\" src=\"https://github.com/user-attachments/assets/7dbd9afa-2f4b-4d03-9384-d57c53eaff5c\" />\n<img width=\"1383\" height=\"885\" alt=\"image\" src=\"https://github.com/user-attachments/assets/c4cfba2e-e2d8-4817-92fe-f17ba7877e27\" />\n<img width=\"387\" height=\"436\" alt=\"image\" src=\"https://github.com/user-attachments/assets/c40e986d-20ca-416e-bcdb-ca1d3afa77a4\" />\n<br>\n<img width=\"392\" height=\"515\" alt=\"image\" src=\"https://github.com/user-attachments/assets/623fcf8c-eef1-4b17-853d-0ff5440aecaa\" />\n\n**PS: the example pictures show changing the name of the device-tracker entity, which is wrong. Just change the name of the `remaining charge time`-sensor in order to validate this finding**\n\n3. Add a history graph card with the malicious sensor\n<img width=\"696\" height=\"474\" alt=\"image\" src=\"https://github.com/user-attachments/assets/3cda78e6-3db5-4075-8924-ab9fc5759082\" />\n\n5. Hover the graph for payload execution\n<img width=\"343\" height=\"196\" alt=\"image\" src=\"https://github.com/user-attachments/assets/99e56169-b06a-4c60-9343-510e5d74af12\" />\n\n\n### Impact\n\nThe impact of this vulnerability is that a user can target other users of the system and perform account takeover through client side exploitation of XSS.\n\nIn the context of this system, I believe the vulnerability to be less impactful than the CVSS metric describes. It is not displayed anywhere by default, it is not natural to display this history graph, and it also has no potential for being imported through seemingly innocent integrations. It also appears to rely on having used/using Android Auto. Other devices which has the same sensor can trigger the same vulnerability, and I expect there to exists cloud-based devices that would enable a threat actor to deliver the payload remotely.\n\nCredit: Robin Lunde - [https://robinlunde.com](https://robinlunde.com)","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33045","reference_id":"","reference_type":"","scores":[{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.01394","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33045"},{"reference_url":"https://github.com/home-assistant/core","reference_id":"","reference_type":"","scores":[{"value":"1.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/home-assistant/core"},{"reference_url":"https://github.com/home-assistant/core/security/advisories/GHSA-46j8-vpx8-6p72","reference_id":"","reference_type":"","scores":[{"value":"1.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-31T18:39:17Z/"}],"url":"https://github.com/home-assistant/core/security/advisories/GHSA-46j8-vpx8-6p72"},{"reference_url":"https://github.com/home-assistant/core/security/advisories/GHSA-mq77-rv97-285m","reference_id":"","reference_type":"","scores":[{"value":"1.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-31T18:39:17Z/"}],"url":"https://github.com/home-assistant/core/security/advisories/GHSA-mq77-rv97-285m"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33045","reference_id":"","reference_type":"","scores":[{"value":"1.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33045"},{"reference_url":"https://github.com/advisories/GHSA-46j8-vpx8-6p72","reference_id":"GHSA-46j8-vpx8-6p72","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-46j8-vpx8-6p72"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/57553?format=json","purl":"pkg:pypi/homeassistant@2026.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/homeassistant@2026.1"},{"url":"http://public2.vulnerablecode.io/api/packages/963613?format=json","purl":"pkg:pypi/homeassistant@2026.1.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/homeassistant@2026.1.0"}],"aliases":["CVE-2026-33045","GHSA-46j8-vpx8-6p72"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8xpy-65hq-dud9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/27870?format=json","vulnerability_id":"VCID-x526-dppa-nqbv","summary":"Home Assistant has Stored XSS vulnerability in Energy dashboard from Energy Entity Name\n### Summary\nAn authenticated party can add a malicious name to the Energy entity, allowing for Cross-Site Scripting attacks against anyone who can see the Energy dashboard, when they hover over any information point (The blue bar in the picture below)\n<img width=\"955\" height=\"568\" alt=\"1_cens\" src=\"https://github.com/user-attachments/assets/ed855216-c306-4b50-affc-cda100e72b74\" />\n\n\nAn alternative, and more impactful scenario, is that the entity gets a malicious name from the provider of the Entity (in this case the energy provider: Tibber), and gets exploited that way, through the default name.\n\n\n### Details\nThe incriminating entity in my scenario is from the Tibber integration, as shown in the screenshot below:\n<img width=\"822\" height=\"309\" alt=\"2_cens\" src=\"https://github.com/user-attachments/assets/d0d5a7aa-8d0c-4dcb-825b-e4cb8ea8885b\" />\n\n\nThe exploit should be possible regardless of the Energy integration, as the user can name the entity themselves and as such pick a malicious name. The default name given by the Energy integration can also be taken directly from their system, and be vulnerable that way. The execution happens within the energy dashboard, when hovering over a data point:\n\n<img width=\"1545\" height=\"571\" alt=\"image\" src=\"https://github.com/user-attachments/assets/46dc7f00-4593-4271-8c3f-4c02b021ff2b\" />\n\n\n**Update found after issue was reported:**\nI found that the issue presents itself for any entity with a html-entity in the name, which is included and rendered in the graph view. Following is an example for a speaker:\n<img width=\"423\" height=\"96\" alt=\"11_cens\" src=\"https://github.com/user-attachments/assets/3b4d43dd-d9e0-466b-85c0-277af3195acf\" />\n\n##### Source code\nThe relevant source code is added in a comment, but copy pasted here as well:\n\nThe offending line of code rendering the payload appears to be:\nhttps://github.com/home-assistant/frontend/blob/c13a80ce5e7ae39f0262444e2b6295a074a96732/src/panels/lovelace/cards/energy/hui-energy-devices-graph-card.ts#L110\nWhere the parameter marked with bold and italic is the vulnerable value:\nreturn \\`${title}${params.marker} **_${params.seriesName}_**: ${value}\\`;\n\n\nFrom the trace below, we can see that the only change done to the friendly_name of an entity is replacing underscores with spaces (_computeObjectId(entityId).replace(/_/g, \" \")_).\nWe can also determine that any power entity will have it's name used if there is one, and fall back to the friendly name if it cannot find one:\n```\ndata.push({\n  id: `${compare ? \"compare-\" : \"\"}${statId}-${type}`,\n  type: \"bar\",\n  cursor: \"default\",\n  name:\n    type in labels\n      ? labels[type]\n      : getStatisticLabel(\n          this.hass,\n          statId,\n          statisticsMetaData[statId]\n        ),\n```\n(https://github.com/home-assistant/frontend/blob/c13a80ce5e7ae39f0262444e2b6295a074a96732/src/panels/lovelace/cards/energy/hui-energy-usage-graph-card.ts#L467-L478)\n\n\nThe value comes from:\n\n1. https://github.com/home-assistant/frontend/blob/c13a80ce5e7ae39f0262444e2b6295a074a96732/src/panels/lovelace/cards/energy/hui-energy-usage-graph-card.ts#L467-L478 \n(This is the relevant call: _getStatisticLabel(this.hass, statId, statisticsMetaData[statId];_)\n\n2. getStatisticLabel is defined here: https://github.com/home-assistant/frontend/blob/c13a80ce5e7ae39f0262444e2b6295a074a96732/src/data/recorder.ts#L329-L339 (This is the relevant call: _computeStateName(entity);_)\n\n3. computeStateName is defined here: https://github.com/home-assistant/frontend/blob/c13a80ce5e7ae39f0262444e2b6295a074a96732/src/common/entity/compute_state_name.ts\n\n\n-----\n\n### PoC\n1. Set up a new energy provider with a price sensor.\n2. Give the price sensor a malicious name \n<img width=\"814\" height=\"100\" alt=\"4_cens\" src=\"https://github.com/user-attachments/assets/64bf7a00-47a2-46db-ae0f-b93e328837d2\" />\n<img width=\"459\" height=\"325\" alt=\"5_cens\" src=\"https://github.com/user-attachments/assets/e43e1c4f-bb4e-45b4-b46a-a6fc32b689ba\" />\n\n\n3. Configure the energy dashboard to get data from the price sensor\n<img width=\"582\" height=\"394\" alt=\"image\" src=\"https://github.com/user-attachments/assets/74c99ab8-0842-4c1b-b2e9-994827d89609\" />\n\n<img width=\"1678\" height=\"241\" alt=\"7_cens\" src=\"https://github.com/user-attachments/assets/24f4c83a-3c0a-4dea-9e1c-9c6b070fb28f\" />\n\n\n<img width=\"329\" height=\"497\" alt=\"8_cens\" src=\"https://github.com/user-attachments/assets/ccb7f90a-4745-4fb4-9efa-f30b3324cb3a\" />\n\n\n5. Look at the data and hover the data point for code to execute. (You may have to trigger data ingestion or add a false data point to be able to hover a data point when testing, you need at least one datapoint to trigger the vulnerability)\n<img width=\"1547\" height=\"575\" alt=\"9_cens\" src=\"https://github.com/user-attachments/assets/087cdf78-a503-427d-8e0c-bb5db24de5c8\" />\n\n\n### Impact\nIt is possible to exploit this over the internet, by using an energy provider, like Tibber, with a malicious name, and relying on the default naming in Home Assistant being used. This is actually how I found this bug:\n<img width=\"453\" height=\"152\" alt=\"10_cens\" src=\"https://github.com/user-attachments/assets/45451efb-2688-4589-a988-88d1fc0b4e25\" />\n\nThis means that a malicious employee or someone with access to your electricity provider can attack your Home Assistant instance from your electricity provider. I am unsure if you consider this a sanitization and escaping issue in the respective integrations or not, but I believe a central fix in the form of fixing the Energy Dashboard is more appropriate, rather than to rely on every integration properly handling user input.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-62172","reference_id":"","reference_type":"","scores":[{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.03607","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-62172"},{"reference_url":"https://github.com/home-assistant/core","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/home-assistant/core"},{"reference_url":"https://github.com/home-assistant/core/security/advisories/GHSA-mq77-rv97-285m","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-14T16:07:00Z/"}],"url":"https://github.com/home-assistant/core/security/advisories/GHSA-mq77-rv97-285m"},{"reference_url":"https://github.com/home-assistant/frontend/blob/c13a80ce5e7ae39f0262444e2b6295a074a96732/src/common/entity/compute_state_name.ts","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/home-assistant/frontend/blob/c13a80ce5e7ae39f0262444e2b6295a074a96732/src/common/entity/compute_state_name.ts"},{"reference_url":"https://github.com/home-assistant/frontend/blob/c13a80ce5e7ae39f0262444e2b6295a074a96732/src/data/recorder.ts#L329-L339","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/home-assistant/frontend/blob/c13a80ce5e7ae39f0262444e2b6295a074a96732/src/data/recorder.ts#L329-L339"},{"reference_url":"https://github.com/home-assistant/frontend/blob/c13a80ce5e7ae39f0262444e2b6295a074a96732/src/panels/lovelace/cards/energy/hui-energy-devices-graph-card.ts#L110","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/home-assistant/frontend/blob/c13a80ce5e7ae39f0262444e2b6295a074a96732/src/panels/lovelace/cards/energy/hui-energy-devices-graph-card.ts#L110"},{"reference_url":"https://github.com/home-assistant/frontend/blob/c13a80ce5e7ae39f0262444e2b6295a074a96732/src/panels/lovelace/cards/energy/hui-energy-usage-graph-card.ts#L467-L478","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/home-assistant/frontend/blob/c13a80ce5e7ae39f0262444e2b6295a074a96732/src/panels/lovelace/cards/energy/hui-energy-usage-graph-card.ts#L467-L478"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-62172","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-62172"},{"reference_url":"https://github.com/advisories/GHSA-mq77-rv97-285m","reference_id":"GHSA-mq77-rv97-285m","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mq77-rv97-285m"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/61486?format=json","purl":"pkg:pypi/homeassistant@2025.10.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1thd-8cw5-yfg3"},{"vulnerability":"VCID-8xpy-65hq-dud9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/homeassistant@2025.10.2"}],"aliases":["CVE-2025-62172","GHSA-mq77-rv97-285m"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-x526-dppa-nqbv"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/homeassistant@2025.8.2"}