Medium severity5.6NVD Advisory· Published Apr 21, 2026· Updated Apr 27, 2026
CVE-2026-40602
CVE-2026-40602
Description
The Home Assistant Command-line interface (hass-cli) is a command-line tool for Home Assistant. Up to 1.0.0 of home-assitant-cli an unrestricted environment was used to handle Jninja2 templates instead of a sandboxed one. The user-supplied input within Jinja2 templates was rendered locally with no restrictions. This gave users access to Python's internals and extended the scope of templating beyond the intended usage. This vulnerability is fixed in 1.0.0.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
homeassistant-cliPyPI | < 1.0.0 | 1.0.0 |
Affected products
1- cpe:2.3:a:home-assistant-ecosystem:home_assistant_command-line_interface:*:*:*:*:*:*:*:*Range: <1.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-33qf-q99x-wpm8ghsaADVISORY
- github.com/home-assistant-ecosystem/home-assistant-cli/security/advisories/GHSA-33qf-q99x-wpm8nvdMitigationVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-40602ghsaADVISORY
- github.com/home-assistant-ecosystem/home-assistant-cli/pull/453nvdIssue TrackingWEB
News mentions
0No linked articles in our index yet.