{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33045", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T18:10:50.211Z", "datePublished": "2026-03-27T19:39:03.590Z", "dateUpdated": "2026-04-01T03:55:27.034Z"}, "containers": {"cna": {"title": "Home Assistant has stored XSS in history-graphs", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/home-assistant/core/security/advisories/GHSA-46j8-vpx8-6p72", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/home-assistant/core/security/advisories/GHSA-46j8-vpx8-6p72"}, {"name": "https://github.com/home-assistant/core/security/advisories/GHSA-mq77-rv97-285m", "tags": ["x_refsource_MISC"], "url": "https://github.com/home-assistant/core/security/advisories/GHSA-mq77-rv97-285m"}], "affected": [{"vendor": "home-assistant", "product": "core", "versions": [{"version": ">= 2025.02, < 2026.01", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T19:39:03.590Z"}, "descriptions": [{"lang": "en", "value": "Home Assistant is open source home automation software that puts local control and privacy first. Starting in version 2025.02 and prior to version 2026.01 the \"remaining charge time\"-sensor for mobile phones (imported/included from Android Auto it appears) is vulnerable cross-site scripting, similar to CVE-2025-62172. Version 2026.01 fixes the issue."}], "source": {"advisory": "GHSA-46j8-vpx8-6p72", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/home-assistant/core/security/advisories/GHSA-46j8-vpx8-6p72", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T00:00:00+00:00", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-33045"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T03:55:27.034Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33045", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-31T18:39:17.774804Z"}}}], "references": [{"url": "https://github.com/home-assistant/core/security/advisories/GHSA-46j8-vpx8-6p72", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T19:08:11.401Z"}}], "cna": {"title": "Home Assistant has stored XSS in history-graphs", "source": {"advisory": "GHSA-46j8-vpx8-6p72", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "home-assistant", "product": "core", "versions": [{"status": "affected", "version": ">= 2025.02, < 2026.01"}]}], "references": [{"url": "https://github.com/home-assistant/core/security/advisories/GHSA-46j8-vpx8-6p72", "name": "https://github.com/home-assistant/core/security/advisories/GHSA-46j8-vpx8-6p72", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/home-assistant/core/security/advisories/GHSA-mq77-rv97-285m", "name": "https://github.com/home-assistant/core/security/advisories/GHSA-mq77-rv97-285m", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Home Assistant is open source home automation software that puts local control and privacy first. Starting in version 2025.02 and prior to version 2026.01 the \"remaining charge time\"-sensor for mobile phones (imported/included from Android Auto it appears) is vulnerable cross-site scripting, similar to CVE-2025-62172. Version 2026.01 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T19:39:03.590Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33045", "state": "PUBLISHED", "dateUpdated": "2026-03-31T19:10:09.179Z", "dateReserved": "2026-03-17T18:10:50.211Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-27T19:39:03.590Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:home-assistant:home-assistant:*:*:*:*:*:*:*:*", "matchCriteriaId": "72B235CE-5F53-4FAA-8388-0DC5A3DE21D1", "versionEndExcluding": "2026.1.0", "versionStartIncluding": "2025.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Home Assistant is open source home automation software that puts local control and privacy first. Starting in version 2025.02 and prior to version 2026.01 the \"remaining charge time\"-sensor for mobile phones (imported/included from Android Auto it appears) is vulnerable cross-site scripting, similar to CVE-2025-62172. Version 2026.01 fixes the issue."}], "id": "CVE-2026-33045", "lastModified": "2026-03-31T20:16:27.450", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T20:16:31.150", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/home-assistant/core/security/advisories/GHSA-46j8-vpx8-6p72"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/home-assistant/core/security/advisories/GHSA-mq77-rv97-285m"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/home-assistant/core/security/advisories/GHSA-46j8-vpx8-6p72"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[2025.02,2026.01)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "core", "source": "cna", "vendor": "home-assistant"}, "product": "core", "vendor": "home-assistant"}], "analysis": {"en": {"generated_at": "2026-03-31T16:36:14.941754+00:00", "value": {"mitigation_remediation": ["Upgrade Home Assistant to version 2026.01 or later", "If upgrading is not feasible immediately, disable or remove the remaining charge time sensor or the Android Auto integration that generates it", "Monitor user activity for suspicious script execution, limit web interface access to trusted users, and consider applying web\u2011application firewall rules to block injected scripts"], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The problem affects Home Assistant core. Versions beginning with 2025.02 through any release before 2026.01 contain the flaw, while version 2026.01 and later have fixed the issue by sanitizing the input. No other components or integrations are listed as vulnerable.", "description_and_impact": "A stored cross\u2011site scripting flaw exists in the history\u2011graphs that display the remaining charge time sensor for mobile phones. By injecting malicious JavaScript into that sensor, an attacker can cause the script to execute whenever any user opens the affected chart. This can result in theft of session cookies, unauthorized actions performed with the user\u2019s credentials, or manipulation of the web interface. The vulnerability is an input validation failure that stores and later executes malicious code.", "risk_and_exploitability": "The CVSS score of 7.3 indicates a high risk potential. The EPSS score is less than 1%, suggesting a low probability of exploitation at present. The flaw is not catalogued as a known exploited vulnerability. It is inferred that the attack vector would involve supplying the malicious data through the web interface, likely by authenticating or compromising a user session, which would then lead to script execution for anyone who views the history graph."}}}}, "created": "2026-03-29T20:30:26.269441+00:00", "updated": "2026-03-31T20:00:47.464978+00:00", "vendors": ["home-assistant", "home-assistant$PRODUCT$core"]}