Stored Cross-Site Scripting Vulnerability in Home Assistant Energy Dashboard
CVE-2025-62172

5.3MEDIUM

Key Information:

Vendor: Home-assistant
Status: Core
Vendor: CVE Published:; 14 October 2025

🔔 Create Home-assistant Vulnerability Alert

What is CVE-2025-62172?

The Home Assistant energy dashboard, a widely used open-source home automation platform, is susceptible to stored cross-site scripting attacks. Users authenticated on the platform can inject malicious JavaScript code into the name field of energy entities. This code is executed when other users hover over tooltip data points in energy graphs, potentially compromising user sessions. The vulnerability arises from inadequate sanitization of HTML content within entity names. Additionally, if an energy provider supplies a harmful default name, the vulnerability can be exploited with no direct action from the user. The issue has been resolved in Home Assistant version 2025.10.2, and there are currently no known workarounds.

Affected Version(s)

core >= 2025.1.0, < 2025.10.2

References

https://github.com/home-assistant/core/security/advisorie...

x_refsource_CONFIRM

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 14, 2025
Vulnerability Reserved
Oct 7, 2025

JSON