In Home Assistant prior to 0.57, it is possible to inject JavaScript code into a persistent notification via crafted Markdown text, aka XSS.
home-assistant home-assistant