Platform
other
Component
core
Fixed in
2026.01
CVE-2026-33045 describes a cross-site scripting (XSS) vulnerability discovered in Home Assistant, an open-source home automation platform. This vulnerability, affecting versions 2025.02 up to, but not including, 2026.01, arises from the handling of the "remaining charge time" sensor data imported from Android Auto. The vulnerability has been resolved in version 2026.01.
An attacker could exploit this XSS vulnerability to inject malicious scripts into the Home Assistant interface. This could lead to the theft of user credentials, session hijacking, or the execution of arbitrary code within the context of the user's Home Assistant session. The impact is particularly concerning as Home Assistant often controls sensitive home automation devices, potentially allowing an attacker to manipulate these devices. The similarity to CVE-2025-62172 suggests a shared root cause in how external data is sanitized and displayed within the Home Assistant environment.
CVE-2026-33045 was publicly disclosed on March 27, 2026. The vulnerability's similarity to CVE-2025-62172 suggests a potential for similar exploitation techniques. As of this writing, there is no indication of active exploitation campaigns targeting this specific vulnerability. The EPSS score is pending evaluation.
Exploit Status
EPSS
0.03% (7% percentile)
CISA SSVC
The primary mitigation for CVE-2026-33045 is to upgrade Home Assistant to version 2026.01 or later, which includes the necessary fix. If upgrading immediately is not feasible, consider temporarily disabling the "remaining charge time" sensor integration from Android Auto. While not a complete solution, this reduces the attack surface. Review Home Assistant's security best practices, including restricting access to the web interface and enabling two-factor authentication, to further minimize risk. After upgrading, verify the fix by attempting to inject a simple XSS payload via the Android Auto sensor data and confirming it is properly sanitized.
Actualice Home Assistant a la versión 2026.01 o posterior. Esta versión contiene la corrección para la vulnerabilidad XSS almacenada en los gráficos de historial.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33045 is a cross-site scripting (XSS) vulnerability affecting Home Assistant versions 2025.02 through 2026.01, allowing attackers to inject malicious scripts via the Android Auto 'remaining charge time' sensor.
You are affected if you are running Home Assistant versions 2025.02 to 2026.01 and have the Android Auto sensor integration enabled.
Upgrade Home Assistant to version 2026.01 or later. As a temporary workaround, disable the Android Auto sensor integration.
There is currently no evidence of active exploitation campaigns targeting CVE-2026-33045, but its similarity to CVE-2025-62172 warrants caution.
Refer to the official Home Assistant security advisory on their website for detailed information and updates: [https://www.home-assistant.io/blog/](https://www.home-assistant.io/blog/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.