Is homeassistant safe to use?

homeassistant has 6 known vulnerabilities on the latest version (2022.6.3). DepScope rates its health at 37/100 (critical risk).

What is the latest version of homeassistant?

The latest version of homeassistant is 2022.6.3, released 2025-04-22.

Does homeassistant have known vulnerabilities?

Yes. homeassistant has 6 known vulnerabilities. See depscope.dev/pkg/conda/homeassistant for details.

Is homeassistant deprecated?

No, homeassistant is actively maintained. Latest release: 2022.6.3 (2025-04-22).

What are alternatives to homeassistant?

DepScope has no curated alternatives for homeassistant at this time.

What license does homeassistant use?

homeassistant is licensed under Apache-2.0.

homeassistant

condav2022.6.3

Open source home automation that puts local control and privacy first.

License Apache-2.0permissive61 versions1 maintainers0 deps894 weekly dl

home-assistant/core

/ 100

Health

update required

[email protected] has vulnerabilities — update to latest

Update to >= 2023.9.0 to fix known vulnerabilities

Low health score (37/100)
1 high severity vulnerabilities

Health breakdown0 – 100

5/25

maintenance

3/20

popularity

12/25

security

15/15

maturity

2/15

community

Vulnerabilities

1 high4 medium1 low

Advisories (6)

Severity	ID	Summary	Fixed in
medium	CVE-2023-50715	User accounts disclosed to unauthenticated actors on the LAN	2023.12.3
high	CVE-2025-25305	Home Assistant does not correctly validate SSL for outgoing requests in core and used libs	2024.1.6
medium	CVE-2025-65713	Home Assistant Core before is vulnerable to Directory Traversal	2025.8.0
medium	CVE-2023-41893	Home Assistant vulnerable to account takeover via auth_callback login	2023.9.0
low	CVE-2026-33044	Home Assistant has stored XSS in Map-card through malicious device name	2026.01
medium	CVE-2023-41893	Home assistant is an open source home automation. The audit team’s analyses confirmed that the `redirect_uri` and `client_id` are alterable when logging in. Consequently, the code parameter utilized to fetch the `access_token` post-authentication will be sent to the URL specified in the aforementioned parameters. Since an arbitrary URL is permitted and `homeassistant.local` represents the preferred, default domain likely used and trusted by many users, an attacker could leverage this weakness to	2023.9.0

Health History

Dependency Tree

License Audit

API access

Get this data programmatically — free, no authentication.

curl https://depscope.dev/api/check/conda/homeassistant

First published · 2021-10-01 00:53:27.549000+00:00

Last updated · 2025-04-22 14:58:01.617000+00:00

Severity

Summary

Fixed in

medium

CVE-2023-50715

User accounts disclosed to unauthenticated actors on the LAN

2023.12.3

high

CVE-2025-25305

Home Assistant does not correctly validate SSL for outgoing requests in core and used libs

2024.1.6

medium

CVE-2025-65713

Home Assistant Core before is vulnerable to Directory Traversal

2025.8.0

medium

CVE-2023-41893

Home Assistant vulnerable to account takeover via auth_callback login

2023.9.0

low

CVE-2026-33044

Home Assistant has stored XSS in Map-card through malicious device name

2026.01

medium

CVE-2023-41893

Home assistant is an open source home automation. The audit team’s analyses confirmed that the `redirect_uri` and `client_id` are alterable when logging in. Consequently, the code parameter utilized to fetch the `access_token` post-authentication will be sent to the URL specified in the aforementioned parameters. Since an arbitrary URL is permitted and `homeassistant.local` represents the preferred, default domain likely used and trusted by many users, an attacker could leverage this weakness to

2023.9.0