CVE-2025-31941
An unauthenticated attacker can obtain a list of smart devices by knowing a valid username.
CVE-2025-31933
An unauthenticated attacker can check the existence of usernames in the system by querying an API.
CVE-2025-31357
An unauthenticated attacker can obtain a user's plant list by knowing the username.
CVE-2025-30514
Unauthenticated attackers can obtain restricted information about a user's smart device collections (i.e., "scenes").
CVE-2025-30511
An authenticated attacker can achieve stored XSS by exploiting improper sanitization of the plant name value while adding or editing a plant.
CVE-2025-30254
An unauthenticated attacker can obtain a serial number of a smart meter(s) using its owner's username.
CVE-2025-27939
An attacker can change registered email addresses of other users and take over arbitrary accounts.
CVE-2025-27938
Unauthenticated attackers can obtain restricted information about a user's smart device collections (i.e., "rooms").
CVE-2025-27568
An unauthenticated attacker can get users' emails by knowing usernames. A password reset email will be sent in response to this unsolicited request.
CVE-2025-24487
An unauthenticated attacker can infer the existence of usernames in the system by querying an API.