CVE-2021-47942— Home Assistant Community Store 1.10.0 Path Traversal Account Takeover
Possible ATT&CK Techniques 3AI
T1552 · Unsecured Credentials T1078 · Valid Accounts T1083 · File and Directory DiscoveryAffected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Home-Assistant | Home Assistant Community Store (HACS) | < 1.10.0 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2021-47942
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Home Assistant Community Store 1.10.0 Path Traversal Account Takeover
Source: NVD (National Vulnerability Database)
Vulnerability Description
Home Assistant Community Store (HACS) 1.10.0 contains a path traversal vulnerability that allows unauthenticated attackers to read sensitive files by traversing directories via the /hacsfiles/ endpoint. Attackers can retrieve the .storage/auth file containing user credentials and refresh tokens, then craft valid JWT tokens to gain administrative access to Home Assistant instances.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
对路径名的限制不恰当(路径遍历)
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Home-Assistant | Home Assistant Community Store (HACS) | 0 ~ 1.10.0 | - |
II. Public POCs for CVE-2021-47942
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
Qwen3.6-35B-A3B · 7853 chars
Paid plan includes:
In-depth vulnerability mechanism
Trigger conditions & impact
Full executable POC code
Exploit chain & mitigation
POC zip download
100+ AI POC generations per month
III. Intelligence Information for CVE-2021-47942
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same vendor: Home-Assistant
- CVE-2026-34205
Home Assistant: Unauthenticated App (Add-on) Endpoints Expos - CVE-2026-33045
Home Assistant has stored XSS in history-graphs - CVE-2026-33044
Home Assistant has stored XSS in Map-card through malicious - CVE-2025-62172
Home Assistant vulnerable to Stored XSS in Energy dashboard - CVE-2025-25305
SSL validation for outgoing requests in Home Assistant Core
Same weakness: CWE-22
- CVE-2026-8736
Oinone Pamirs RestController LocalFileClient.java request.ge - CVE-2021-47977
WordPress Anti-Malware Security Bruteforce Firewall 4.20.59 - CVE-2021-47979
WordPress Plugin Backup and Restore 1.0.3 Arbitrary File Del - CVE-2026-44565
Open WebUI: Open WebUI Arbitrary File Write, Delete via Path - CVE-2026-44566
Open WebUI: Arbitrary File Upload and Path Traversal
V. Comments for CVE-2021-47942
No comments yet