Vulnerability Description
Home Assistant is open source home automation software that puts local control and privacy first. Starting in version 2025.02 and prior to version 2026.01 the "remaining charge time"-sensor for mobile phones (imported/included from Android Auto it appears) is vulnerable cross-site scripting, similar to CVE-2025-62172. Version 2026.01 fixes the issue.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Home-Assistant | Home-Assistant | >= 2025.2.0, < 2026.1.0 |
Related Weaknesses (CWE)
References
- https://github.com/home-assistant/core/security/advisories/GHSA-46j8-vpx8-6p72ExploitVendor Advisory
- https://github.com/home-assistant/core/security/advisories/GHSA-mq77-rv97-285mExploitVendor Advisory
- https://github.com/home-assistant/core/security/advisories/GHSA-46j8-vpx8-6p72ExploitVendor Advisory
FAQ
What is CVE-2026-33045?
CVE-2026-33045 is a vulnerability with a CVSS score of 5.4 (MEDIUM). Home Assistant is open source home automation software that puts local control and privacy first. Starting in version 2025.02 and prior to version 2026.01 the "remaining charge time"-sensor for mobile...
How severe is CVE-2026-33045?
CVE-2026-33045 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-33045?
Check the references section above for vendor advisories and patch information. Affected products include: Home-Assistant Home-Assistant.