CVE-2026-33045: Home Assistant has stored XSS in history-graphs

March 27, 2026

The “remaining charge time”-sensor for mobile phones (imported/included from Android Auto it appears) is vulnerable to the same issue as CVE-2025-62172. This also indicates that any sensor showing their name in the history-graph, is likely to be vulnerable to this issue.

References

github.com/advisories/GHSA-46j8-vpx8-6p72
github.com/home-assistant/core
github.com/home-assistant/core/security/advisories/GHSA-46j8-vpx8-6p72
github.com/home-assistant/core/security/advisories/GHSA-mq77-rv97-285m
nvd.nist.gov/vuln/detail/CVE-2026-33045

Code Behaviors & Features

Detect and mitigate CVE-2026-33045 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →