CVE-2026-33045

Name of the Vulnerable Software and Affected Versions Home Assistant versions 2025.02 through 2026.01

Description The "remaining charge time" sensor for mobile phones (imported from Android Auto) in Home Assistant is susceptible to cross-site scripting (XSS). This issue is similar to CVE-2025-62172. The History-graph card displays the name of the entity without proper output escaping or sanitization, allowing for the injection of arbitrary tags, including JavaScript. A malicious actor can exploit this by changing the name of the sensor to include a malicious payload, which is then executed when a user hovers over the graph. The impact of this vulnerability could allow an attacker to perform account takeover. The vulnerability appears to rely on the use of Android Auto, but may also be triggered by other devices with the same sensor.

Recommendations Update to version 2026.01 or later to resolve this issue.