home-assistant/frontend

[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data — RCE.

[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) — full RCE via templates.

[MINED116] Workflow uses `secrets.NETLIFY_AUTH_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.NETLIFY_AUTH_TOK…

[MINED116] Workflow uses `secrets.NETLIFY_GALLERY_SITE_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.NETLIFY_GAL…

[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python objects (CVE-2017-18342). Ported from bandit B506 / dlint DUO109 (Apache-2.0 / BSD-…

[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules — equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0).

[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrary Ruby classes — direct RCE on untrusted input. `unsafe_load` is even more dang…

Consent is collected in UI without visible backend audit persistence

[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).

[MINED118] Dockerfile FROM `mcr.microsoft.com/devcontainers/python:3.14` not pinned by digest: `FROM mcr.microsoft.com/devcontainers/python:3.14` resolves the tag at build time. The registry CAN re-p…

[SEC006] XSS Risk: Direct HTML injection without sanitization.

[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…

[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…

[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…

[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…

[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…

[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…

[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0).

[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0).

[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).

[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).

[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…

[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…

[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…

localStorage write failures are swallowed silently

localStorage write failures are swallowed silently

[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.

[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.

[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin acc…

[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin acc…

[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin acc…

[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin acc…

[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin acc…

[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin acc…

[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin acc…

[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin acc…

[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin acc…

[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin acc…

[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…

[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…

[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…

[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…

[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…

[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…

[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…

[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…

[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…

Docker final stage has no non-root USER

Docker build context has no .dockerignore

[ERR002] Empty Catch Block: Empty catch blocks hide errors.

Browser storage is used for session token material

Browser storage is used for session token material

Frontend API reference is not matched by discovered backend routes

Frontend API reference is not matched by discovered backend routes

Frontend API reference is not matched by discovered backend routes

Frontend API reference is not matched by discovered backend routes

Frontend API reference is not matched by discovered backend routes

Frontend API reference is not matched by discovered backend routes

Frontend API reference is not matched by discovered backend routes

Frontend API reference is not matched by discovered backend routes

Frontend API reference is not matched by discovered backend routes

Frontend API reference is not matched by discovered backend routes

Frontend API reference is not matched by discovered backend routes

Frontend API reference is not matched by discovered backend routes

Frontend API reference is not matched by discovered backend routes

Frontend API reference is not matched by discovered backend routes

Frontend API reference is not matched by discovered backend routes

[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.

[SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run win…

[SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run win…

[SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run win…

[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …

[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …

[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …

[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes conce…

[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes conce…

[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes conce…

[SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't…

[SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't…

Public web service has no security.txt

robots.txt blocks the full public site

Public web app has no Content Security Policy

[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found.

[SEC006] XSS Risk: Direct HTML injection without sanitization.

[SEC006] XSS Risk: Direct HTML injection without sanitization.

Public web app has no sitemap

robots.txt does not advertise a sitemap

Public docs site has no llms.txt

Public web app has no humans.txt

[MINED043] Http Not Https (and 3 more): Same pattern found in 3 additional files. Review if needed.

[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.

[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.

[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.

[MINED044] Js Console Log Prod (and 67 more): Same pattern found in 67 additional files. Review if needed.

[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.

[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.

[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.

[MINED045] Ts Non Null Assertion (and 514 more): Same pattern found in 514 additional files. Review if needed.

[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.

[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.

[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.

[MINED047] Emoji In Source: Emoji ✅ ❌ 🚀 in code/comments — common AI output unless explicitly requested.

[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.

[MINED052] Ts Any Typed (and 254 more): Same pattern found in 254 additional files. Review if needed.

[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.

[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.

[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.

[MINED054] Ts As Any (and 120 more): Same pattern found in 120 additional files. Review if needed.

[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.

[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.

[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.

[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming colli…

[SEC006] XSS Risk (and 3 more): Same pattern found in 3 additional files. Review if needed.

[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…

[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…

[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…

[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input (and 66 more): Same pattern found in 66 additional files. Review if needed.

[SEC040] innerHTML XSS — template literal with server-supplied data (and 6 more): Same pattern found in 6 additional files. Review if needed.

[SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer" (and 3 more): Same pattern found in 3 additional files. Review if needed.

[SEC087] JS: weak Math.random for crypto (and 6 more): Same pattern found in 6 additional files. Review if needed.

[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable.

[SEC128] Async function without await — fire-and-forget Promise (AI mistake) (and 53 more): Same pattern found in 53 additional files. Review if needed.