Home Assistant Stored Cross-Site Scripting Vulnerability in Energy Dashboard

A stored cross-site scripting vulnerability has been identified in the Home Assistant energy dashboard, affecting versions 2025.1.0 through 2025.10.1. The issue allows authenticated users to inject malicious JavaScript into an energy entity's name, which is executed when other users hover over data points in the dashboard. This vulnerability arises because entity names are not properly sanitized before being displayed in tooltips. Additionally, if an energy provider like Tibber assigns a malicious default name to an entity, the vulnerability can be exploited automatically without user intervention. The issue has been resolved in version 2025.10.2.

Impact

Exploitation of this vulnerability allows for cross-site scripting attacks, where injected JavaScript is executed in the context of the user's session, potentially leading to unauthorized actions or data exposure.

Reproduction

To reproduce this vulnerability, an authenticated user can rename an energy entity with malicious JavaScript code. Once the entity is saved, hovering over the corresponding data points in the energy dashboard will trigger the execution of the injected script. Alternatively, if an energy provider like Tibber assigns a default name containing malicious code, the vulnerability can be exploited automatically when the dashboard is accessed.

Remediation

Users can update to Home Assistant version 2025.10.2 or later to address this vulnerability.