CVE-2025-24297 — CVSS 9.8 (critical): Due to lack of server-side input validation, attackers can inject malicious JavaScript code into users personal spaces of the web portal.
CVE-2025-30511 — CVSS 8.8 (high): An authenticated attacker can achieve stored XSS by exploiting improper sanitization of the plant name value while adding or editing a…
CVE-2025-27939 — CVSS 7.5 (high): An attacker can change registered email addresses of other users and take over arbitrary accounts.
CVE-2025-30512 — CVSS 6.5 (medium): Unauthenticated attackers can send configuration settings to device and possible perform physical actions remotely (e.g., on/off).
CVE-2025-31360 — CVSS 6.5 (medium): Unauthenticated attackers can trigger device actions associated with specific "scenes" of arbitrary users.
CVE-2025-27568 — CVSS 5.3 (medium): An unauthenticated attacker can get users' emails by knowing usernames. A password reset email will be sent in response to this unsolicited…
CVE-2025-27575 — CVSS 5.3 (medium): An unauthenticated attacker can obtain EV charger version and firmware upgrading history by knowing the charger ID.
CVE-2025-27927 — CVSS 5.3 (medium): An unauthenticated attackers can obtain a list of smart devices by knowing a valid username through an unprotected API.
CVE-2025-27938 — CVSS 5.3 (medium): Unauthenticated attackers can obtain restricted information about a user's smart device collections (i.e., "rooms").
CVE-2025-30254 — CVSS 5.3 (medium): An unauthenticated attacker can obtain a serial number of a smart meter(s) using its owner's username.
CVE-2025-30257 — CVSS 5.3 (medium): Unauthenticated attackers can retrieve serial number of smart meters associated to a specific user account.
CVE-2025-30514 — CVSS 5.3 (medium): Unauthenticated attackers can obtain restricted information about a user's smart device collections (i.e., "scenes").
CVE-2025-31147 — CVSS 5.3 (medium): Unauthenticated attackers can query information about total energy consumed by EV chargers of arbitrary users.
CVE-2025-24315 — CVSS 5.3 (medium): Unauthenticated attackers can add devices of other users to their scenes (or arbitrary scenes of other arbitrary users).