EUVD-2026-16775
GHSA-46j8-vpx8-6p72
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Description
Home Assistant is open source home automation software that puts local control and privacy first. Starting in version 2025.02 and prior to version 2026.01 the "remaining charge time"-sensor for mobile phones (imported/included from Android Auto it appears) is vulnerable cross-site scripting, similar to CVE-2025-62172. Version 2026.01 fixes the issue.
Analysis
Cross-site scripting in Home Assistant's mobile phone remaining charge time sensor allows authenticated attackers to inject malicious scripts via crafted sensor names imported from Android Auto. Affecting Home Assistant versions 2025.02 through 2026.00, this vulnerability requires low attack complexity and privileged access but relies on user interaction to execute stored XSS payloads. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: inventory all Home Assistant instances and document current versions in use. Within 7 days: upgrade affected instances (2025.02 through 2026.00) to Home Assistant version 2026.01 or later; restrict administrative access to trusted users only during transition. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today