CVE-2026-33045

UNKNOWN 0.0

Home Assistant has stored XSS in history-graphs

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

14th

Home Assistant is open source home automation software that puts local control and privacy first. Starting in version 2025.02 and prior to version 2026.01 the "remaining charge time"-sensor for mobile phones (imported/included from Android Auto it appears) is vulnerable cross-site scripting, similar to CVE-2025-62172. Version 2026.01 fixes the issue.

CWE	CWE-79
Vendor	home-assistant
Product	core
Published	Mar 27, 2026
Last Updated	Apr 1, 2026

Stay Ahead of the Next One

Get instant alerts for home-assistant core

Be the first to know when new unknown vulnerabilities affecting home-assistant core are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

home-assistant / core

>= 2025.02, < 2026.01

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/home-assistant/core/security/advisories/GHSA-46j8-vpx8-6p72 github.com: https://github.com/home-assistant/core/security/advisories/GHSA-mq77-rv97-285m