Description
Home Assistant is open source home automation software that puts local control and privacy first. Starting in version 2025.02 and prior to version 2026.01 the "remaining charge time"-sensor for mobile phones (imported/included from Android Auto it appears) is vulnerable cross-site scripting, similar to CVE-2025-62172. Version 2026.01 fixes the issue.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/home-assistant/core/security/advisories/GHSA-46j8-vpx8-6p72
X_Refsource_Misc x_refsource_misc
https://github.com/home-assistant/core/security/advisories/GHSA-mq77-rv97-285m
Scores
CVSS v3
5.4
EPSS
0.0001
EPSS Percentile
1.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-79
Status
published
Products (3)
home-assistant/core
>= 2025.02, < 2026.01
home-assistant/home-assistant
2025.2.0 - 2026.1.0
pypi/homeassistant
2025.02 - 2026.01PyPI
Published
Mar 27, 2026
Tracked Since
Mar 29, 2026