Skip to main content

Google EUVDEUVD-2026-16775

| CVE-2026-33045 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-27 security-advisories@github.com GHSA-46j8-vpx8-6p72
7.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.3 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
A
Scope
X

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 27, 2026 - 20:22 euvd
EUVD-2026-16775
Analysis Generated
Mar 27, 2026 - 20:22 vuln.today
CVE Published
Mar 27, 2026 - 20:16 nvd
HIGH 7.3

DescriptionGitHub Advisory

Home Assistant is open source home automation software that puts local control and privacy first. Starting in version 2025.02 and prior to version 2026.01 the "remaining charge time"-sensor for mobile phones (imported/included from Android Auto it appears) is vulnerable cross-site scripting, similar to CVE-2025-62172. Version 2026.01 fixes the issue.

AnalysisAI

Cross-site scripting in Home Assistant's mobile phone remaining charge time sensor allows authenticated attackers to inject malicious scripts via crafted sensor names imported from Android Auto. Affecting Home Assistant versions 2025.02 through 2026.00, this vulnerability requires low attack complexity and privileged access but relies on user interaction to execute stored XSS payloads. A vendor-released patch is available in version 2026.01, with EPSS data unavailable and no confirmed active exploitation at time of analysis.

Technical ContextAI

Home Assistant is an open-source home automation platform emphasizing local control and privacy. This vulnerability manifests in the rendering of sensor names imported from Android Auto mobile phone integration, specifically the 'remaining charge time' sensor entity. The root cause is improper neutralization of input during web page generation (CWE-79), allowing persistent cross-site scripting attacks. When sensor names containing JavaScript payloads are displayed in the Home Assistant web interface, the malicious code executes in victim browsers. This follows a similar pattern to CVE-2025-62172, indicating a broader issue with entity name sanitization in mobile device integrations. The affected component processes external sensor data from Android Auto without adequate output encoding, creating an attack surface where device-controlled strings become executable code in the web UI.

RemediationAI

Upgrade Home Assistant Core to version 2026.01 or later, which contains sanitization fixes for mobile phone sensor name rendering. The vendor-released patch addresses improper output encoding in entity name display logic. Organizations should prioritize upgrading installations with Android Auto mobile device integrations, particularly multi-user deployments or instances accessible beyond trusted administrators. During the upgrade window, administrators should audit mobile device sensor entities for suspicious names containing HTML/JavaScript syntax and temporarily remove untrusted Android Auto integrations. Review Home Assistant access logs for unusual authenticated activity and inspect browser console logs for XSS indicators. Post-upgrade, verify mobile phone sensor names display correctly without script execution. Reference the official security advisory at https://github.com/home-assistant/core/security/advisories/GHSA-46j8-vpx8-6p72 for vendor-specific guidance and release notes. No workaround fully mitigates this vulnerability without upgrading; restricting Android Auto integration to trusted devices provides partial risk reduction.

Share

EUVD-2026-16775 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy