HIGH SeverityCVSS 4.08.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

CVE-2021-47942

Last updated May 16, 2026 · Published May 16, 2026

Description

Home Assistant Community Store (HACS) 1.10.0 contains a path traversal vulnerability that allows unauthenticated attackers to read sensitive files by traversing directories via the /hacsfiles/ endpoint. Attackers can retrieve the .storage/auth file containing user credentials and refresh tokens, then craft valid JWT tokens to gain administrative access to Home Assistant instances.

Affected products

1 listed

Home-Assistant:Home Assistant Community Store (HACS)

Mappings

CWE

CWE-22

CAPEC

None listed.

Research

Path traversal: how to detect and prevent itPath traversal lets attackers read or write files outside intended directories. Normalise paths, resolve them…
JSON Web Tokens (JWT)Explains JWT structure, threat models, and common validation pitfalls. Includes secure usage practices for…

Guides

JWT Security Best PracticesWhat to validate, rotate, and avoid in real systems.

Training

Secure File HandlingUploads, storage, and serving files without opening the door to attackers.

CVE-2021-47942

Description

Affected products

Mappings

Related