Compliance Impact

The vulnerability is a stored Cross-Site Scripting (XSS) issue that can lead to client-side attacks such as account takeover. Such security weaknesses can potentially impact compliance with standards and regulations like GDPR and HIPAA, which require protection of user data and prevention of unauthorized access.

However, the exploitability is considered moderate due to limited attack surface and specific conditions needed for exploitation, which may reduce the overall risk to compliance but does not eliminate it.

Organizations using affected versions of Home Assistant should apply the patch in version 2026.01 to mitigate risks that could lead to non-compliance with data protection and privacy regulations.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-33045 is a stored Cross-Site Scripting (XSS) vulnerability in the Home Assistant core, specifically affecting the history-graphs feature.

The issue occurs because the history-graph card does not properly escape or sanitize HTML special characters in entity names, allowing attackers to inject arbitrary HTML and JavaScript code.

This vulnerability was identified in the "remaining charge time" sensor for mobile phones, imported from Android Auto, but it can affect any sensor whose name is displayed in the history-graph.

An attacker can rename a sensor to include malicious HTML/JavaScript, which executes when the sensor is displayed in the history graph card.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability enables attackers to perform client-side XSS attacks targeting other users of the Home Assistant system.

Potential impacts include execution of arbitrary JavaScript in the context of the victim's browser, which can lead to account takeover or theft of sensitive information.

However, the exploitability and impact are considered moderate because the vulnerable graph is not displayed by default, requires specific sensors, and the attack surface is somewhat limited.

Remote exploitation could be possible on cloud-based devices with similar sensors.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if your Home Assistant instance is running a version between 2025.02 and prior to 2026.01, as these versions are affected.

Specifically, the vulnerability involves the history-graph card rendering entity names without proper escaping, allowing stored XSS via sensor names.

A practical detection method is to inspect sensor entity names, especially those imported from Android Auto or similar sources, for suspicious HTML or JavaScript code embedded in their names.

Since this is a web-based XSS vulnerability, you can also test by renaming a sensor to include a harmless HTML payload (e.g., a test with `<img src=x onerror=alert(document.domain) />`) and then viewing the history-graph card to see if the payload executes.

There are no specific network commands provided to detect this vulnerability, as it is related to the web interface rendering and sensor naming.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade your Home Assistant installation to version 2026.01 or later, where this vulnerability has been fixed.

Until the upgrade is applied, avoid using or displaying the history-graph card with sensors that may contain untrusted or user-controlled names, especially those imported from Android Auto or similar integrations.

Additionally, review and sanitize sensor entity names to ensure they do not contain malicious HTML or JavaScript code.

Useful 0 Not Useful 0