Description
Home Assistant is open source home automation software that puts local control and privacy first. Starting in version 2025.02 and prior to version 2026.01 the "remaining charge time"-sensor for mobile phones (imported/included from Android Auto it appears) is vulnerable cross-site scripting, similar to CVE-2025-62172. Version 2026.01 fixes the issue.
Published: 2026-03-27
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Immediate Patch
AI Analysis

Impact

A stored cross‑site scripting flaw exists in the history‑graphs that display the remaining charge time sensor for mobile phones. By injecting malicious JavaScript into that sensor, an attacker can cause the script to execute whenever any user opens the affected chart. This can result in theft of session cookies, unauthorized actions performed with the user’s credentials, or manipulation of the web interface. The vulnerability is an input validation failure that stores and later executes malicious code.

Affected Systems

The problem affects Home Assistant core. Versions beginning with 2025.02 through any release before 2026.01 contain the flaw, while version 2026.01 and later have fixed the issue by sanitizing the input. No other components or integrations are listed as vulnerable.

Risk and Exploitability

The CVSS score of 7.3 indicates a high risk potential. The EPSS score is less than 1%, suggesting a low probability of exploitation at present. The flaw is not catalogued as a known exploited vulnerability. It is inferred that the attack vector would involve supplying the malicious data through the web interface, likely by authenticating or compromising a user session, which would then lead to script execution for anyone who views the history graph.

Generated by OpenCVE AI on March 31, 2026 at 16:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Home Assistant to version 2026.01 or later
  • If upgrading is not feasible immediately, disable or remove the remaining charge time sensor or the Android Auto integration that generates it
  • Monitor user activity for suspicious script execution, limit web interface access to trusted users, and consider applying web‑application firewall rules to block injected scripts

Generated by OpenCVE AI on March 31, 2026 at 16:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-46j8-vpx8-6p72 Home Assistant has stored XSS in history-graphs
History

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Home-assistant home-assistant
CPEs cpe:2.3:a:home-assistant:home-assistant:*:*:*:*:*:*:*:*
Vendors & Products Home-assistant home-assistant
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Home-assistant
Home-assistant core
Vendors & Products Home-assistant
Home-assistant core

Fri, 27 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
Description Home Assistant is open source home automation software that puts local control and privacy first. Starting in version 2025.02 and prior to version 2026.01 the "remaining charge time"-sensor for mobile phones (imported/included from Android Auto it appears) is vulnerable cross-site scripting, similar to CVE-2025-62172. Version 2026.01 fixes the issue.
Title Home Assistant has stored XSS in history-graphs
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 7.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P'}

Subscriptions

Home-assistant Core Home-assistant
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-01T03:55:27.034Z

Reserved: 2026-03-17T18:10:50.211Z

Link: CVE-2026-33045

cve-icon Vulnrichment

Updated: 2026-03-31T19:08:11.401Z

cve-icon NVD

Status : Modified

Published: 2026-03-27T20:16:31.150

Modified: 2026-03-31T20:16:27.450

Link: CVE-2026-33045

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:00:47Z

Weaknesses