GrowattCVEs & Vulnerabilities

30 CVEs affecting Growatt products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

Most Affected Products

cloud portal 30
CVE-2025-31950MEDIUM

An unauthenticated attacker can obtain EV charger energy consumption information of other users.

16 Apr 2025
5.3
CVSS
CVE-2025-31945MEDIUM

An unauthenticated attacker can obtain other users' charger information.

16 Apr 2025
5.3
CVSS
CVE-2025-31654MEDIUM

An attacker can get information about the groups of the smart home devices for arbitrary users (i.e., "rooms").

16 Apr 2025
5.3
CVSS
CVE-2025-31360HIGH

Unauthenticated attackers can trigger device actions associated with specific "scenes" of arbitrary users.

16 Apr 2025
7.5
CVSS
CVE-2025-31147MEDIUM

Unauthenticated attackers can query information about total energy consumed by EV chargers of arbitrary users.

16 Apr 2025
5.3
CVSS
CVE-2025-30512MEDIUM

Unauthenticated attackers can send configuration settings to device and possible perform physical actions remotely (e.g., on/off).

16 Apr 2025
6.5
CVSS
CVE-2025-30510CRITICAL

An attacker can upload an arbitrary file instead of a plant image.

16 Apr 2025
9.8
CVSS
CVE-2025-30257MEDIUM

Unauthenticated attackers can retrieve serial number of smart meters associated to a specific user account.

16 Apr 2025
5.3
CVSS
CVE-2025-27929MEDIUM

Unauthenticated attackers can retrieve full list of users associated with arbitrary accounts.

16 Apr 2025
5.3
CVSS
CVE-2025-27927MEDIUM

An unauthenticated attackers can obtain a list of smart devices by knowing a valid username through an unprotected API.

16 Apr 2025
5.3
CVSS
CVE-2025-27719MEDIUM

Unauthenticated attackers can query an API endpoint and get device details.

16 Apr 2025
5.3
CVSS
CVE-2025-27575MEDIUM

An unauthenticated attacker can obtain EV charger version and firmware upgrading history by knowing the charger ID.

16 Apr 2025
5.3
CVSS
CVE-2025-27565MEDIUM

An unauthenticated attacker can delete any user's "rooms" by knowing the user's and room IDs.

16 Apr 2025
5.3
CVSS
CVE-2025-27561MEDIUM

Unauthenticated attackers can rename "rooms" of arbitrary users.

16 Apr 2025
5.3
CVSS
CVE-2025-26857MEDIUM

Unauthenticated attackers can rename arbitrary devices of arbitrary users (i.e., EV chargers).

16 Apr 2025
5.3
CVSS
CVE-2025-25276MEDIUM

An unauthenticated attacker can hijack other users' devices and potentially control them.

16 Apr 2025
6.5
CVSS
CVE-2025-24850MEDIUM

An attacker can export other users' plant information.

16 Apr 2025
5.3
CVSS
CVE-2025-24315MEDIUM

Unauthenticated attackers can add devices of other users to their scenes (or arbitrary scenes of other arbitrary users).

16 Apr 2025
5.3
CVSS
CVE-2025-24297CRITICAL

Due to lack of server-side input validation, attackers can inject malicious JavaScript code into users personal spaces of the web portal.

16 Apr 2025
9.8
CVSS
CVE-2025-31949MEDIUM

An authenticated attacker can obtain any plant name by knowing the plant ID.

16 Apr 2025
5.3
CVSS
CVE-2025-31941MEDIUM

An unauthenticated attacker can obtain a list of smart devices by knowing a valid username.

16 Apr 2025
5.3
CVSS
CVE-2025-31933MEDIUM

An unauthenticated attacker can check the existence of usernames in the system by querying an API.

16 Apr 2025
5.3
CVSS
CVE-2025-31357MEDIUM

An unauthenticated attacker can obtain a user's plant list by knowing the username.

16 Apr 2025
5.3
CVSS
CVE-2025-30514MEDIUM

Unauthenticated attackers can obtain restricted information about a user's smart device collections (i.e., "scenes").

16 Apr 2025
5.3
CVSS
CVE-2025-30511MEDIUM

An authenticated attacker can achieve stored XSS by exploiting improper sanitization of the plant name value while adding or editing a plant.

16 Apr 2025
5.4
CVSS
CVE-2025-30254MEDIUM

An unauthenticated attacker can obtain a serial number of a smart meter(s) using its owner's username.

16 Apr 2025
5.3
CVSS
CVE-2025-27939HIGH

An attacker can change registered email addresses of other users and take over arbitrary accounts.

16 Apr 2025
7.5
CVSS
CVE-2025-27938MEDIUM

Unauthenticated attackers can obtain restricted information about a user's smart device collections (i.e., "rooms").

16 Apr 2025
5.3
CVSS
CVE-2025-27568MEDIUM

An unauthenticated attacker can get users' emails by knowing usernames. A password reset email will be sent in response to this unsolicited request.

16 Apr 2025
5.3
CVSS
CVE-2025-24487MEDIUM

An unauthenticated attacker can infer the existence of usernames in the system by querying an API.

16 Apr 2025
5.3
CVSS
← PrevPage 1 / 1Next →