GHSA-46J8-VPX8-6P72
Vulnerability from github – Published: 2026-03-27 20:35 – Updated: 2026-03-27 21:48Summary
The "remaining charge time"-sensor for mobile phones (imported/included from Android Auto it appears) is vulnerable to the same issue as CVE-2025-62172.
This also indicates that any sensor showing their name in the history-graph, is likely to be vulnerable to this issue.
Details
Another entity was found which displays the same behavior as in this issue: CVE-2025-62172
The History-graph card will sometimes display the name of the entity it is displaying, when the graph is shown as a line with values on the x and y axis. This appears to be vulnerable to Cross-Site scripting (XSS) as it does not have any output escaping or sanitization.
The PoC in this instance only shows HTML-injection in the form of the <s> -tag being rendered as strike through, but the vulnerability also allows for injecting arbitrary tags which execute JavaScript, like the example given in the PoC description below.
PoC
- Register a new sensor (or device) or change the name of an existing one, which provides a location
- Change the name to something malicious, for example
test <img src=x onerror=alert(document.domain) />For a new entity, it should work when setting the name. For old entities, go here:
PS: the example pictures show changing the name of the device-tracker entity, which is wrong. Just change the name of the remaining charge time-sensor in order to validate this finding
-
Add a history graph card with the malicious sensor
-
Hover the graph for payload execution
Impact
The impact of this vulnerability is that a user can target other users of the system and perform account takeover through client side exploitation of XSS.
In the context of this system, I believe the vulnerability to be less impactful than the CVSS metric describes. It is not displayed anywhere by default, it is not natural to display this history graph, and it also has no potential for being imported through seemingly innocent integrations. It also appears to rely on having used/using Android Auto. Other devices which has the same sensor can trigger the same vulnerability, and I expect there to exists cloud-based devices that would enable a threat actor to deliver the payload remotely.
Credit: Robin Lunde - https://robinlunde.com
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "homeassistant"
},
"ranges": [
{
"events": [
{
"introduced": "2025.02"
},
{
"fixed": "2026.01"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33045"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-27T20:35:01Z",
"nvd_published_at": "2026-03-27T20:16:31Z",
"severity": "LOW"
},
"details": "### Summary\nThe \"remaining charge time\"-sensor for mobile phones (imported/included from Android Auto it appears) is vulnerable to the same issue as CVE-2025-62172.\n\u003cimg width=\"431\" height=\"334\" alt=\"image\" src=\"https://github.com/user-attachments/assets/84e0dfad-b986-4e84-ad0e-674c5da88582\" /\u003e\nThis also indicates that any sensor showing their name in the history-graph, is likely to be vulnerable to this issue.\n\n### Details\n\nAnother entity was found which displays the same behavior as in this issue: [CVE-2025-62172](https://github.com/home-assistant/core/security/advisories/GHSA-mq77-rv97-285m)\n\n\nThe History-graph card will sometimes display the name of the entity it is displaying, when the graph is shown as a line with values on the x and y axis. This appears to be vulnerable to Cross-Site scripting (_XSS_) as it does not have any output escaping or sanitization.\n\nThe PoC in this instance only shows HTML-injection in the form of the `\u003cs\u003e` -tag being rendered as strike through, but the vulnerability also allows for injecting arbitrary tags which execute JavaScript, like the example given in the PoC description below.\n\n\n### PoC\n1. Register a new sensor (or device) or change the name of an existing one, which provides a location\n2. Change the name to something malicious, for example `test \u003cimg src=x onerror=alert(document.domain) /\u003e`\n For a new entity, it should work when setting the name. For old entities, go here:\n\u003cimg width=\"1300\" height=\"411\" alt=\"image\" src=\"https://github.com/user-attachments/assets/7dbd9afa-2f4b-4d03-9384-d57c53eaff5c\" /\u003e\n\u003cimg width=\"1383\" height=\"885\" alt=\"image\" src=\"https://github.com/user-attachments/assets/c4cfba2e-e2d8-4817-92fe-f17ba7877e27\" /\u003e\n\u003cimg width=\"387\" height=\"436\" alt=\"image\" src=\"https://github.com/user-attachments/assets/c40e986d-20ca-416e-bcdb-ca1d3afa77a4\" /\u003e\n\u003cbr\u003e\n\u003cimg width=\"392\" height=\"515\" alt=\"image\" src=\"https://github.com/user-attachments/assets/623fcf8c-eef1-4b17-853d-0ff5440aecaa\" /\u003e\n\n**PS: the example pictures show changing the name of the device-tracker entity, which is wrong. Just change the name of the `remaining charge time`-sensor in order to validate this finding**\n\n3. Add a history graph card with the malicious sensor\n\u003cimg width=\"696\" height=\"474\" alt=\"image\" src=\"https://github.com/user-attachments/assets/3cda78e6-3db5-4075-8924-ab9fc5759082\" /\u003e\n\n5. Hover the graph for payload execution\n\u003cimg width=\"343\" height=\"196\" alt=\"image\" src=\"https://github.com/user-attachments/assets/99e56169-b06a-4c60-9343-510e5d74af12\" /\u003e\n\n\n### Impact\n\nThe impact of this vulnerability is that a user can target other users of the system and perform account takeover through client side exploitation of XSS.\n\nIn the context of this system, I believe the vulnerability to be less impactful than the CVSS metric describes. It is not displayed anywhere by default, it is not natural to display this history graph, and it also has no potential for being imported through seemingly innocent integrations. It also appears to rely on having used/using Android Auto. Other devices which has the same sensor can trigger the same vulnerability, and I expect there to exists cloud-based devices that would enable a threat actor to deliver the payload remotely.\n\nCredit: Robin Lunde - [https://robinlunde.com](https://robinlunde.com)",
"id": "GHSA-46j8-vpx8-6p72",
"modified": "2026-03-27T21:48:43Z",
"published": "2026-03-27T20:35:01Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/home-assistant/core/security/advisories/GHSA-46j8-vpx8-6p72"
},
{
"type": "WEB",
"url": "https://github.com/home-assistant/core/security/advisories/GHSA-mq77-rv97-285m"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33045"
},
{
"type": "PACKAGE",
"url": "https://github.com/home-assistant/core"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "Home Assistant has stored XSS in history-graphs"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.