Browse all 6 CVE security advisories affecting esphome. AI-powered Chinese analysis, POCs, and references for each vulnerability.
ESPHome is an open-source platform for developing custom firmware for ESP8266/ESP32 microcontrollers, primarily used in IoT home automation. Historically, it has faced vulnerabilities including remote code execution, cross-site scripting, and privilege escalation, often stemming from improper input validation and insecure default configurations. While no major public security incidents have been widely documented, the six CVEs on record highlight potential risks in its web interface and communication protocols. The project maintains active security practices, but users should implement network segmentation and regular updates to mitigate risks associated with its deployment in connected home environments.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2026-23833 | ESPHome vulnerable to denial-of-service via out-of-bounds check bypass in the API component — esphomeCWE-190 | 8.6AI | HighAI | 2026-01-19 |
| CVE-2025-57808 | ESP-IDF web_server basic auth bypass using empty or incomplete Authorization header — esphomeCWE-303 | 8.1 | High | 2025-09-02 |
| CVE-2024-29019 | ESPHome vulnerable to Authentication bypass via Cross site request forgery — esphomeCWE-352 | 8.1 | High | 2024-03-21 |
| CVE-2024-27287 | ESPHome vulnerable to stored Cross-site Scripting in edit configuration file API — esphomeCWE-79 | 6.5 | Medium | 2024-03-06 |
| CVE-2024-27081 | ESPHome remote code execution via arbitrary file write — esphomeCWE-22 | 7.2 | High | 2024-02-26 |
| CVE-2021-41104 | web_server allows OTA update without checking user defined basic auth username & password — esphomeCWE-306 | 7.5 | High | 2021-09-28 |
This page lists every published CVE security advisory associated with esphome. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.