Details of VAR-202603-5274

ID

VAR-202603-5274

CVE

CVE-2026-33045

TITLE

Home Assistant Cross-site scripting vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2026-009616

DESCRIPTION

Home Assistant is open source home automation software that puts local control and privacy first. Starting in version 2025.02 and prior to version 2026.01 the "remaining charge time"-sensor for mobile phones (imported/included from Android Auto it appears) is vulnerable cross-site scripting, similar to CVE-2025-62172. Version 2026.01 fixes the issue. 2026.01 has been fixed.Some of the information handled by the software may be leaked to the outside. Also, some of the information handled by the software may be rewritten. Furthermore, the software will not stop. Furthermore, attacks exploiting this vulnerability may affect other software

Trust: 1.62

sources: NVD: CVE-2026-33045 // JVNDB: JVNDB-2026-009616

AFFECTED PRODUCTS

vendor:	home assistant	model:	home-assistant	scope:	gte	version:	2025.2.0	Trust: 1.0
vendor:	home assistant	model:	home-assistant	scope:	lt	version:	2026.1.0	Trust: 1.0
vendor:	home assistant	model:	home assistant	scope:	-	version:	-	Trust: 0.8
vendor:	home assistant	model:	home assistant	scope:	eq	version:	-	Trust: 0.8
vendor:	home assistant	model:	home assistant	scope:	eq	version:	2025.2.0 that's all 2026.1.0	Trust: 0.8

sources: JVNDB: JVNDB-2026-009616 // NVD: CVE-2026-33045

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2026-33045
value:	MEDIUM
Trust: 1.0
security-advisories@github.com:	CVE-2026-33045
value:	HIGH
Trust: 1.0
NVD:	CVE-2026-33045
value:	MEDIUM
Trust: 0.8

nvd@nist.gov:	CVE-2026-33045
baseSeverity:	MEDIUM
baseScore:	5.4
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.3
impactScore:	2.7
version:	3.1
Trust: 1.0
NVD:	CVE-2026-33045
baseSeverity:	MEDIUM
baseScore:	5.4
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2026-009616 // NVD: CVE-2026-33045 // NVD: CVE-2026-33045

PROBLEMTYPE DATA

problemtype:	CWE-79	Trust: 1.0
problemtype:	Cross-site scripting (CWE-79) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2026-009616 // NVD: CVE-2026-33045

PATCH

title:

Stored XSS in history-graphs Advisory home-assistant/core GitHub GitHub

url:

https://github.com/home-assistant/core/security/advisories/GHSA-46j8-vpx8-6p72

Trust: 0.8

sources: JVNDB: JVNDB-2026-009616

EXTERNAL IDS

db:	NVD	id:	CVE-2026-33045	Trust: 2.6
db:	JVNDB	id:	JVNDB-2026-009616	Trust: 0.8

sources: JVNDB: JVNDB-2026-009616 // NVD: CVE-2026-33045

REFERENCES

url:	https://github.com/home-assistant/core/security/advisories/ghsa-mq77-rv97-285m	Trust: 1.0
url:	https://github.com/home-assistant/core/security/advisories/ghsa-46j8-vpx8-6p72	Trust: 1.0
url:	https://nvd.nist.gov/vuln/detail/cve-2026-33045	Trust: 0.8

sources: JVNDB: JVNDB-2026-009616 // NVD: CVE-2026-33045

SOURCES

db:	JVNDB	id:	JVNDB-2026-009616
db:	NVD	id:	CVE-2026-33045

LAST UPDATE DATE

2026-04-03T23:42:48.817000+00:00

SOURCES UPDATE DATE

db:	JVNDB	id:	JVNDB-2026-009616	date:	2026-04-02T01:39:00
db:	NVD	id:	CVE-2026-33045	date:	2026-03-31T20:16:27.450

SOURCES RELEASE DATE

db:	JVNDB	id:	JVNDB-2026-009616	date:	2026-04-02T00:00:00
db:	NVD	id:	CVE-2026-33045	date:	2026-03-27T20:16:31.150