CVE-2026-40602
MEDIUMhass-cli: Handling of user-supplied Jinja2 templates
Title source: cnaDescription
The Home Assistant Command-line interface (hass-cli) is a command-line tool for Home Assistant. Up to 1.0.0 of home-assitant-cli an unrestricted environment was used to handle Jninja2 templates instead of a sandboxed one. The user-supplied input within Jinja2 templates was rendered locally with no restrictions. This gave users access to Python's internals and extended the scope of templating beyond the intended usage. This vulnerability is fixed in 1.0.0.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/home-assistant-ecosystem/home-assistant-cli/security/advisories/GHSA-33qf-q99x-wpm8
X_Refsource_Misc x_refsource_misc
https://github.com/home-assistant-ecosystem/home-assistant-cli/pull/453
Scores
CVSS v3
5.6
EPSS
0.0010
EPSS Percentile
1.2%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-1336
CWE-94
Status
published
Products (3)
home-assistant-ecosystem/home-assistant-cli
< 1.0.0
home-assistant-ecosystem/home_assistant_command-line_interface
< 1.0.0
pypi/homeassistant-cli
0 - 1.0.0PyPI
Published
Apr 21, 2026
Tracked Since
Apr 21, 2026