anonhaven
Ad

CVE-2026-33045

HIGH CVSS 4.0: 7.3 EPSS 0.03%
Updated Mar 31, 2026
Home-Assistant
Parameter Value
CVSS 7.3 (HIGH)
Affected Versions 2025.2.0 — 2026.1.0
Fixed In 2026.1.0
Type CWE-79 (Cross-Site Scripting (XSS))
Vendor Home-Assistant
Public PoC No

Home Assistant is open source home automation software that puts local control and privacy first. Starting in version 2025.02 and prior to version 2026.01 the "remaining charge time"-sensor for mobile phones (imported/included from Android Auto it appears) is vulnerable cross-site scripting, similar to CVE-2025-62172. Version 2026.01 fixes the issue.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Attack Requirements
Present
Additional conditions required
Privileges Required
Low
Basic privileges needed
User Interaction
Active
User action required

Impact Assessment

Confidentiality
High
Complete data leak
Integrity
High
Complete data modification
Availability
High
Complete denial of service

CVSS Vector v4.0

Weakness Type (CWE)

CWE-79 Cross-Site Scripting (XSS)

Vulnerable Products 1

Configuration From (including) Up to (excluding)
Home-Assistant Home-Assistant
cpe:2.3:a:home-assistant:home-assistant:*:*:*:*:*:*:*:*
 2025.2.0 2026.1.0

References 2

https://github.com/home-assistant/core/security/advisories/GHSA-46j8-vpx8-6p72
security-advisories@github.com
https://github.com/home-assistant/core/security/advisories/GHSA-mq77-rv97-285m
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-33044

Home-Assistant

7.3

CVE-2025-65713

Home-Assistant

4.0