Pwnpanda

**Nome do Software Vulnerável e Versões Afetadas** SysReptor versões 2026.4 até 2026.26 **Descrição** Uma autorização inadequada nos endpoints utilizados para ler e criar links de compartilhamento de notas pessoais permite que atacantes autenticados, ao obterem o ID da nota de uma vítima, listem e criem links de compartilhamento para essas notas. Isso resulta em acesso não autorizado de leitura e escrita às notas pessoais de outros usuários. Este problema afeta as edições Professional e Community, embora não tenha impacto prático na edição Community, pois todos os usuários possuem permissões de superusuário e já podem listar notas pessoais através do endpoint '/admin/pentests/usernotebookpage/'. **Recomendações** Atualizar para a versão 2026.27.

**Name of the Vulnerable Software and Affected Versions** Home Assistant versions 2020.02 through 2026.01 **Description** Home Assistant, an open-source home automation software, contains a flaw where an authenticated user can inject malicious code into a device entity name. This allows for Cross-Site Scripting (XSS) attacks against other users who view a dashboard containing a Map-card that includes the compromised entity. The attack requires the victim to hover over an information point on the map. The issue is similar to a previously documented issue but affects entities displayed in a Map, rather than an energy dashboard. The impact of this flaw allows a user to potentially target other users and perform account takeover through client-side exploitation. **Recommendations** Update to version 2026.01 or later.

**Name of the Vulnerable Software and Affected Versions** Home Assistant versions 2025.02 through 2026.01 **Description** The "remaining charge time" sensor for mobile phones (imported from Android Auto) in Home Assistant is susceptible to cross-site scripting (XSS). This issue is similar to CVE-2025-62172. The History-graph card displays the name of the entity without proper output escaping or sanitization, allowing for the injection of arbitrary tags, including JavaScript. A malicious actor can exploit this by changing the name of the sensor to include a malicious payload, which is then executed when a user hovers over the graph. The impact of this vulnerability could allow an attacker to perform account takeover. The vulnerability appears to rely on the use of Android Auto, but may also be triggered by other devices with the same sensor. **Recommendations** Update to version 2026.01 or later to resolve this issue.