プラットフォーム
other
コンポーネント
core
修正版
2026.01
CVE-2026-33045 describes a cross-site scripting (XSS) vulnerability discovered in Home Assistant, an open-source home automation platform. This vulnerability, affecting versions 2025.02 up to, but not including, 2026.01, arises from the handling of the "remaining charge time" sensor data imported from Android Auto. The vulnerability has been resolved in version 2026.01.
An attacker could exploit this XSS vulnerability to inject malicious scripts into the Home Assistant interface. This could lead to the theft of user credentials, session hijacking, or the execution of arbitrary code within the context of the user's Home Assistant session. The impact is particularly concerning as Home Assistant often controls sensitive home automation devices, potentially allowing an attacker to manipulate these devices. The similarity to CVE-2025-62172 suggests a shared root cause in how external data is sanitized and displayed within the Home Assistant environment.
CVE-2026-33045 was publicly disclosed on March 27, 2026. The vulnerability's similarity to CVE-2025-62172 suggests a potential for similar exploitation techniques. As of this writing, there is no indication of active exploitation campaigns targeting this specific vulnerability. The EPSS score is pending evaluation.
Home Assistant users who have integrated the Android Auto sensor and are running versions 2025.02 through 2026.01 are at risk. This includes users with Android Auto-enabled mobile devices connected to their Home Assistant instances. Shared hosting environments running vulnerable versions of Home Assistant are also particularly vulnerable.
• linux / server: Monitor Home Assistant system logs for unusual activity or error messages related to the Android Auto integration. Use journalctl -u home-assistant to filter for relevant entries.
• generic web: Inspect Home Assistant's web interface for unexpected script tags or unusual behavior when interacting with the "remaining charge time" sensor. Use curl -I <homeassistanturl>/<affectedendpoint> to check response headers for anomalies.
• wordpress / composer / npm: N/A - This vulnerability is not directly related to WordPress, Composer, or npm.
• database (mysql, redis, mongodb, postgresql): N/A - This vulnerability does not directly impact database systems.
• windows / supply-chain: N/A - This vulnerability does not directly impact Windows or supply-chain components.
disclosure
エクスプロイト状況
EPSS
0.03% (7% パーセンタイル)
CISA SSVC
The primary mitigation for CVE-2026-33045 is to upgrade Home Assistant to version 2026.01 or later, which includes the necessary fix. If upgrading immediately is not feasible, consider temporarily disabling the "remaining charge time" sensor integration from Android Auto. While not a complete solution, this reduces the attack surface. Review Home Assistant's security best practices, including restricting access to the web interface and enabling two-factor authentication, to further minimize risk. After upgrading, verify the fix by attempting to inject a simple XSS payload via the Android Auto sensor data and confirming it is properly sanitized.
Home Assistant をバージョン 2026.01 以降にアップデートしてください。このバージョンには、history-graphs の格納型 XSS 脆弱性に対する修正が含まれています。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-33045 is a cross-site scripting (XSS) vulnerability affecting Home Assistant versions 2025.02 through 2026.01, allowing attackers to inject malicious scripts via the Android Auto 'remaining charge time' sensor.
You are affected if you are running Home Assistant versions 2025.02 to 2026.01 and have the Android Auto sensor integration enabled.
Upgrade Home Assistant to version 2026.01 or later. As a temporary workaround, disable the Android Auto sensor integration.
There is currently no evidence of active exploitation campaigns targeting CVE-2026-33045, but its similarity to CVE-2025-62172 warrants caution.
Refer to the official Home Assistant security advisory on their website for detailed information and updates: [https://www.home-assistant.io/blog/](https://www.home-assistant.io/blog/)
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。