Home Assistant Cross-Site Scripting Vulnerability in Energy Dashboard

A cross-site scripting (XSS) vulnerability has been identified in Home Assistant versions 2025.02 prior to 2026.01. The issue arises in the 'remaining charge time' sensor for mobile phones, which is imported from Android Auto. This vulnerability allows for the injection of malicious scripts that could be executed when another user hovers over the affected data point in the energy dashboard.

Impact

Exploitation of this vulnerability could lead to cross-site scripting, allowing for the injection of malicious scripts that could be executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, first ensure you are using a version of Home Assistant prior to 2026.01. Then, add a 'remaining charge time' sensor for a mobile phone that is connected to Android Auto. Change the sensor's name to include a malicious payload, such as an image tag with an 'onerror' event. Once the sensor is set up, add it to a history graph card on the dashboard. When hovering over the data point, the injected script will execute, demonstrating the cross-site scripting vulnerability.

Remediation

Users can update to Home Assistant version 2026.01 or later, where this vulnerability has been fixed.