PT-2026-41449 · Home Assistant · Home Assistant Community Store

Lyghtnox

·

Published

2026-05-16

·

Updated

2026-05-27

·

CVE-2021-47942

CVSS v4.0

8.7

High

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Name of the Vulnerable Software and Affected Versions Home Assistant Community Store (HACS) version 1.10.0
Description A path traversal issue allows unauthenticated attackers to read sensitive files by traversing directories via the '/hacsfiles/' endpoint. This can be used to retrieve the .storage/auth file, which contains user credentials and refresh tokens, enabling the creation of valid JWT (JSON Web Tokens) to gain administrative access to Home Assistant instances.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2021-47942

Affected Products

Home Assistant Community Store