Pwnpanda

**Name of the Vulnerable Software and Affected Versions** SysReptor versions 2026.4 through 2026.26 **Description** Improper authorization in endpoints used for reading and creating sharing links for personal notes allows authenticated attackers with a victim's note ID to list and create sharing links to those notes. This results in unauthorized read and write access to other users' personal notes. This issue affects both Professional and Community editions, although it has no practical impact on the Community edition since all users possess superuser permissions and can already list personal notes via the '/admin/pentests/usernotebookpage/' endpoint. **Recommendations** Update to version 2026.27.

**Name of the Vulnerable Software and Affected Versions** Home Assistant versions 2020.02 through 2026.01 **Description** Home Assistant, an open-source home automation software, contains a flaw where an authenticated user can inject malicious code into a device entity name. This allows for Cross-Site Scripting (XSS) attacks against other users who view a dashboard containing a Map-card that includes the compromised entity. The attack requires the victim to hover over an information point on the map. The issue is similar to a previously documented issue but affects entities displayed in a Map, rather than an energy dashboard. The impact of this flaw allows a user to potentially target other users and perform account takeover through client-side exploitation. **Recommendations** Update to version 2026.01 or later.

**Name of the Vulnerable Software and Affected Versions** Home Assistant versions 2025.02 through 2026.01 **Description** The "remaining charge time" sensor for mobile phones (imported from Android Auto) in Home Assistant is susceptible to cross-site scripting (XSS). This issue is similar to CVE-2025-62172. The History-graph card displays the name of the entity without proper output escaping or sanitization, allowing for the injection of arbitrary tags, including JavaScript. A malicious actor can exploit this by changing the name of the sensor to include a malicious payload, which is then executed when a user hovers over the graph. The impact of this vulnerability could allow an attacker to perform account takeover. The vulnerability appears to rely on the use of Android Auto, but may also be triggered by other devices with the same sensor. **Recommendations** Update to version 2026.01 or later to resolve this issue.