{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33045", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T18:10:50.211Z", "datePublished": "2026-03-27T19:39:03.590Z", "dateUpdated": "2026-03-27T19:39:03.590Z"}, "containers": {"cna": {"title": "Home Assistant has stored XSS in history-graphs", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/home-assistant/core/security/advisories/GHSA-46j8-vpx8-6p72", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/home-assistant/core/security/advisories/GHSA-46j8-vpx8-6p72"}, {"name": "https://github.com/home-assistant/core/security/advisories/GHSA-mq77-rv97-285m", "tags": ["x_refsource_MISC"], "url": "https://github.com/home-assistant/core/security/advisories/GHSA-mq77-rv97-285m"}], "affected": [{"vendor": "home-assistant", "product": "core", "versions": [{"version": ">= 2025.02, < 2026.01", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T19:39:03.590Z"}, "descriptions": [{"lang": "en", "value": "Home Assistant is open source home automation software that puts local control and privacy first. Starting in version 2025.02 and prior to version 2026.01 the \"remaining charge time\"-sensor for mobile phones (imported/included from Android Auto it appears) is vulnerable cross-site scripting, similar to CVE-2025-62172. Version 2026.01 fixes the issue."}], "source": {"advisory": "GHSA-46j8-vpx8-6p72", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Home Assistant is open source home automation software that puts local control and privacy first. Starting in version 2025.02 and prior to version 2026.01 the \"remaining charge time\"-sensor for mobile phones (imported/included from Android Auto it appears) is vulnerable cross-site scripting, similar to CVE-2025-62172. Version 2026.01 fixes the issue."}], "id": "CVE-2026-33045", "lastModified": "2026-03-30T13:26:29.793", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T20:16:31.150", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/home-assistant/core/security/advisories/GHSA-46j8-vpx8-6p72"}, {"source": "security-advisories@github.com", "url": "https://github.com/home-assistant/core/security/advisories/GHSA-mq77-rv97-285m"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[2025.02,2026.01)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "core", "source": "cna", "vendor": "home-assistant"}, "product": "core", "vendor": "home-assistant"}], "analysis": {"en": {"generated_at": "2026-03-27T22:06:47.936622+00:00", "value": {"mitigation_remediation": ["Upgrade Home Assistant to version 2026.01 or later.", "Disable or remove the remaining charge time sensor if it is not needed.", "Clear any cached history\u2011graph data or reload the UI to ensure no malicious payload remains."], "summary": {"action": "Patch Now", "impact": "Stored XSS"}, "threat_synthesis": {"affected_systems": "Home Assistant versions released from 2025.02 up to and including those before 2026.01 are vulnerable when the remaining charge time sensor is enabled. The vulnerability is fixed in the 2026.01 release. Any installation that includes the Android\u2011Auto\u2011derived sensor and displays it within history\u2011graphs is at risk.", "description_and_impact": "The Home Assistant core software contains a stored cross\u2011site scripting flaw that manifests when users view the history\u2011graphs page. The bug allows an attacker to inject malicious JavaScript through the remaining charge time sensor data that is imported from Android Auto. Once injected, the script runs in the browser context of any user who opens the affected graph, potentially stealing cookies, hijacking sessions, or executing arbitrary client\u2011side actions. The flaw is a classic input\u2011validation error that results in stored XSS.", "risk_and_exploitability": "The CVSS score of 7.3 indicates a high severity and signifies that a successful exploit can compromise confidentiality and integrity. The attack requires an attacker capable of injecting malicious data into the sensor feed, or a compromised phone integrated via Android Auto, and an authenticated user must visit the history\u2011graphs page for the payload to execute. Because the vector is not remote network code execution but rather client\u2011side script injection through sensor data, the overall risk is moderate to high for environments that expose unauthorized users to the sensor or that rely on untrusted phones."}}}}, "created": "2026-03-29T20:30:26.269441+00:00", "updated": "2026-03-30T07:00:39.725181+00:00", "vendors": ["home-assistant", "home-assistant$PRODUCT$core"]}