CVE-2026-33045 is a cross-site scripting (XSS) vulnerability classified under CWE-79 affecting the Home Assistant core, an open-source home automation platform emphasizing local control and privacy. The vulnerability specifically resides in the "remaining charge time" sensor for mobile phones, which appears to be imported from Android Auto components. Versions from 2025.02 through 2026.01 (exclusive) are affected. The issue arises from improper neutralization of input during web page generation, allowing attackers to inject malicious scripts that execute in the context of the victim's browser. This can lead to theft of sensitive information, session hijacking, or manipulation of the user interface. The CVSS 4.0 score is 7.3 (high), reflecting network attack vector, low attack complexity, partial authentication required, user interaction needed, and high impact on confidentiality, integrity, and availability with a broad scope affecting multiple components. The vulnerability was publicly disclosed on March 27, 2026, and fixed in version 2026.01. No known active exploits have been reported, but the similarity to a prior CVE (2025-62172) indicates potential for exploitation if left unpatched.

The vulnerability poses a significant risk to organizations and individuals using Home Assistant core versions between 2025.02 and 2026.01. Successful exploitation could allow attackers to execute arbitrary JavaScript in the context of the Home Assistant web interface, potentially leading to unauthorized access to sensitive home automation controls, leakage of private data, session hijacking, or manipulation of device states. Given Home Assistant's role in controlling smart home devices, this could extend to physical security risks or disruption of critical home automation functions. The requirement for partial authentication and user interaction somewhat limits remote exploitation but does not eliminate risk, especially in environments with multiple users or less security-aware operators. The broad scope and high impact on confidentiality, integrity, and availability make this a serious threat for users relying on vulnerable versions.

The primary mitigation is to upgrade Home Assistant core to version 2026.01 or later, where the vulnerability is fixed. Until upgrade is possible, organizations should restrict access to the Home Assistant web interface to trusted users only and implement network-level protections such as VPNs or firewall rules to limit exposure. Additionally, review and sanitize all inputs related to the "remaining charge time" sensor or any Android Auto integrations to ensure proper encoding and neutralization of potentially malicious data. Employ Content Security Policy (CSP) headers to reduce the impact of XSS attacks by restricting script execution sources. Monitor logs for suspicious activity related to sensor inputs and user interactions. Educate users about the risks of interacting with untrusted content within the Home Assistant interface. Finally, maintain regular backups and incident response plans to quickly recover from potential compromises.