Home Assistant में इतिहास-ग्राफ में संग्रहीत (Stored) XSS है

An attacker could exploit this XSS vulnerability to inject malicious scripts into the Home Assistant interface. This could lead to the theft of user credentials, session hijacking, or the execution of arbitrary code within the context of the user's Home Assistant session. The impact is particularly concerning as Home Assistant often controls sensitive home automation devices, potentially allowing an attacker to manipulate these devices. The similarity to CVE-2025-62172 suggests a shared root cause in how external data is sanitized and displayed within the Home Assistant environment.

Home Assistant users who have integrated the Android Auto sensor and are running versions 2025.02 through 2026.01 are at risk. This includes users with Android Auto-enabled mobile devices connected to their Home Assistant instances. Shared hosting environments running vulnerable versions of Home Assistant are also particularly vulnerable.

• linux / server: Monitor Home Assistant system logs for unusual activity or error messages related to the Android Auto integration. Use journalctl -u home-assistant to filter for relevant entries. • generic web: Inspect Home Assistant's web interface for unexpected script tags or unusual behavior when interacting with the "remaining charge time" sensor. Use curl -I <homeassistanturl>/<affectedendpoint> to check response headers for anomalies. • wordpress / composer / npm: N/A - This vulnerability is not directly related to WordPress, Composer, or npm. • database (mysql, redis, mongodb, postgresql): N/A - This vulnerability does not directly impact database systems. • windows / supply-chain: N/A - This vulnerability does not directly impact Windows or supply-chain components.

1. 2026-03-27Disclosure

   disclosure

1. आरक्षित2026-03-17
2. प्रकाशित2026-03-27
3. संशोधित2026-04-01
4. EPSS अद्यतन2026-04-04

The primary mitigation for CVE-2026-33045 is to upgrade Home Assistant to version 2026.01 or later, which includes the necessary fix. If upgrading immediately is not feasible, consider temporarily disabling the "remaining charge time" sensor integration from Android Auto. While not a complete solution, this reduces the attack surface. Review Home Assistant's security best practices, including restricting access to the web interface and enabling two-factor authentication, to further minimize risk. After upgrading, verify the fix by attempting to inject a simple XSS payload via the Android Auto sensor data and confirming it is properly sanitized.