CVE-2026-40602

Name of the Vulnerable Software and Affected Versions home-assistant-cli versions prior to 1.0.0

Description The Home Assistant Command-line interface (hass-cli) used an unrestricted environment instead of a sandboxed one to handle Jinja2 templates. User-supplied input within these templates was rendered locally without restrictions, allowing access to Python internals and extending templating capabilities beyond intended usage. This can lead to arbitrary code execution on the local machine if a user is convinced to render malicious third-party templates using the --local flag. The issue only affects the local machine and requires user intervention.

Recommendations Update to version 1.0.0. Evaluate Jinja2 templates manually or using a tool before rendering them with hass-cli.