
Cloud Vulnerability DB
A community-led vulnerabilities database
Home Assistant, an open-source home automation software, was found to contain a stored cross-site scripting vulnerability (CVE-2025-62172) in versions 2025.1.0 through 2025.10.1. The vulnerability affects the energy dashboard functionality where entity names containing HTML are not properly sanitized before being rendered in graph tooltips (GitHub Advisory).
The vulnerability exists in the energy dashboard's graph tooltip rendering mechanism. When displaying entity names in tooltips, the system fails to properly sanitize HTML content, allowing for script injection. The issue specifically occurs when hovering over data points in the energy dashboard graph tooltips. The vulnerability has been assigned a CVSS 4.0 Base Score of 5.3 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N. The weakness is categorized under CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page) and CWE-79 (Improper Neutralization of Input During Web Page Generation) (GitHub Advisory).
The vulnerability allows an authenticated attacker to inject malicious JavaScript code into an energy entity's name field, which is then executed in the context of other users' sessions when they hover over data points in the energy dashboard. Additionally, if an energy provider (such as Tibber) supplies a malicious default name for an entity, the vulnerability can be exploited without direct user action (GitHub Advisory).
The vulnerability has been patched in version 2025.10.2. No known workarounds exist for affected versions. Users are advised to upgrade to the patched version to protect against this vulnerability (GitHub Advisory).
Source: This report was generated using AI
Free Vulnerability Assessment
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Get a personalized demo
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
"We know that if Wiz identifies something as critical, it actually is."