Home Assistant Core

A critical security vulnerability in Home Assistant allowed attackers to bypass authentication and access the Supervisor API. This affected Home Assistant OS and Supervised installations using Supervisor version 2023.03.2 or older.

A vulnerability in the Home Assistant iOS/macOS app up to version 2023.4 allows attackers to execute arbitrary services on victims' Home Assistant systems through malicious links or QR codes, potentially leading to system compromise.

A vulnerability in Home Assistant Core allows attackers to send unauthorized requests to internal Supervisor APIs through the hassio.addon_stdin service, potentially leading to remote code execution.

The Home Assistant Android app up to version 2023.8.2 can load arbitrary URLs in a WebView, allowing attackers to execute malicious JavaScript code and steal user credentials.

A vulnerability in Home Assistant's GitHub Actions allows attackers to inject commands, potentially stealing secrets and manipulating the repository through the workflow system.

Home Assistant Core doesn't set HTTP security headers like X-Frame-Options, allowing attackers to use clickjacking attacks to trick users into installing malicious add-ons and gain remote code execution on the system.

A vulnerability in Home Assistant Core allows attackers to create malicious links that force the frontend to connect to a fake WebSocket server, leading to cross-site scripting attacks and complete system takeover.

Home Assistant Core has a vulnerability where webhooks can be triggered via public URLs without authentication, even when configured as locally accessible only.

A vulnerability in Home Assistant Core allows attackers to execute malicious JavaScript code through manipulated login redirects, potentially leading to complete takeover of the Home Assistant account and installation.

Home Assistant Core has a vulnerability in its login system where attackers can manipulate redirects to steal access credentials if users click on crafted links and their installation is publicly accessible.

Home Assistant Core displays all active user accounts on the login page without requiring authentication when the request originates from the local network.

Home Assistant Core has a vulnerability in SSL certificate verification that enables man-in-the-middle attacks. Incorrect use of the ssl parameter in HTTP requests unintentionally disables certificate verification, allowing attackers to intercept encrypted connections.

Home Assistant Core is vulnerable to Cross-Site Scripting attacks when malicious HTML content is inserted into entity names, which then gets executed in the Energy dashboard view when users hover over data points.

A vulnerability in Home Assistant Core allows authenticated users to inject malicious code into device names, which then executes as a Cross-Site Scripting attack against other users when they hover over data points in map dashboards.

A vulnerability in Home Assistant Core allows cross-site scripting attacks through malicious sensor names in history graphs, enabling attackers to execute JavaScript code in other users' sessions and potentially take over accounts.

Home Assistant apps using host network mode incorrectly expose internal Docker interfaces to the local network, allowing attackers to access critical functions like shell access without authentication.

A security vulnerability in Home Assistant Companion apps for Android and iOS allows malicious websites in embedded frames to steal access tokens from logged-in users, granting full access to their smart home systems.

Maintenance update with bug fixes for various integrations and dependency updates

Beta release adding zone-based triggers and conditions for automation, improving media player code quality, updating various dependencies, fixing SwitchBot Blind Tilt errors, preventing log spam, and enhancing error handling across multiple integrations.

Beta release updating intents library to version 2026.6.1, improving WebSocket condition testing by removing error logging, adding Bluetooth reachability diagnostics for Avea devices, and updating the frontend interface to version 20260527.4.

Unable to analyze release notes as the provided URL appears to be for a future version (2026.6.0) that does not exist yet. No changelog content was accessible to determine changes or breaking modifications.

Beta release containing numerous bug fixes across integrations including MQTT valve state handling, Apple TV streaming issues, backup security improvements, and various sensor/device connectivity problems. Includes dependency updates and minor feature enhancements.

Beta release containing various bug fixes including media player platform improvements for Alexa devices, proper user-agent for feed fetching, Bluetooth device discovery error explanations, dependency updates, and fixes for ProxmoxVE and iCloud integrations.

Beta release announcement for Home Assistant Core 2026.6.0b0 with incomplete release notes, testing instructions, and issue reporting guidelines for the beta period.

Patch release fixing multiple crashes and bugs across various integrations including SmartThings, PowerView, Wyoming satellite, Lutron Caseta, and Hue. Updates several dependencies and resolves translation issues. Addresses stability problems that could cause component failures.

Patch release fixing numerous crashes and bugs across multiple integrations including Apple TV, Overkiz covers, utility meters, template conditions, and various device-specific issues. Updates several dependencies and resolves startup blocking problems in Google Assistant and GoodWe integrations.

Patch release containing numerous bug fixes across integrations including LG ThinQ, SmartThings, Comelit, and others. Includes dependency updates and one breaking change in Duco integration that removes temperature sensors and migrates to new connectivity library.

Patch release containing bug fixes for multiple integrations including WiZ lights, IntelliFire, Overkiz covers, Z-Wave discovery, and various dependency updates. Fixes connection timeouts, state handling issues, and crash conditions across different device integrations.

Beta release adding new automation triggers and conditions for media players, improving error handling for energy data updates, enhancing Matter fan controls, fixing Zinvolt select options, and updating various dependencies including frontend and library components.

Beta release removes internal method from EntityConditionBase, excludes incompatible entities from climate/water heater/humidifier automations, improves template entity cleanup, and updates Tibber integration dependency.

Unable to analyze release notes as the provided URL appears to be for a future version (2026.5.0) that does not exist yet. No changelog content was accessible to determine changes, breaking compatibility, or severity level.

Beta release with various improvements including new media player muted trigger, template reload enhancements, script teardown race condition fix, device class additions for weather sensors, multiple dependency updates, and bug fixes for uptime sensors and config validation across several integratio

Beta release containing various bug fixes and improvements across multiple integrations including Hive authentication, OpenAI reasoning, Victron GX device mapping, Broadlink infrared support, cover position fixes, sensor corrections, and frontend updates. No breaking changes identified.

Beta release announcement for Home Assistant Core 2026.5.0b0 with incomplete release notes, testing instructions, and issue reporting guidelines for the beta period.

Patch release addressing various integration bugs including Kodi media browsing, Victron BLE authentication issues, Google AI TTS case sensitivity, MQTT light color mode restoration, and API rate limiting improvements for Tractive. Also includes dependency updates and user validation enhancements.

Patch release addressing various integration bugs including crashes in Proxmox VE storage monitoring, template binary sensor device class issues, incorrect units in OpenEVSE and Growatt sensors, ESPHome color temperature problems, Wyoming satellite memory leaks, VOIP event loop blocking, and MQTT en

Bug fix release addressing various integration issues including meter disconnection handling, state corrections for LG soundbars and FRITZ!Box switches, authentication flow fixes, backup encryption calculations, and dependency updates across multiple integrations.

Beta release with backup storage improvements to use temporary directory and frontend update to version 20260325.5.

Beta release containing minor fixes and dependency updates including grammar correction for victron_ble error message, Chess.com player stats fetching fix, BMW integration repair skeleton addition, Dropbox integration extraction, and version bumps for multiple libraries including solarlog_cli, led-b

Unable to analyze release notes as the provided URL appears to be for a future version (2026.4.0) that does not exist yet, making the changelog inaccessible for review.

Improved translation system performance by implementing asynchronous download functionality for language files.

Beta release with action naming improvements, bug fixes for nrgkick phase count and ista EcoTrend coordinator, new timer and calendar conditions, counter-specific conditions, platform registration optimizations, and frontend update to version 20260325.4.

Beta release adding weather humidity conditions, select conditions, device registry improvements, dependency updates for idasen-ha and aioamazondevices, missing Miele program codes, legacy entity naming, and frontend update to version 20260325.2.

Beta release adding new automation triggers for humidifier mode changes and battery events, Google Drive backup progress tracking, dependency updates for sense-energy and asyncsleepiq libraries, trigger/condition schema adjustments, and reverting a Z-Wave door sensor repair issue change.