CVE-2026-40602 PUBLISHED

hass-cli: Handling of user-supplied Jinja2 templates

Assigner: GitHub_M
Reserved: 14.04.2026 Published: 21.04.2026 Updated: 21.04.2026

The Home Assistant Command-line interface (hass-cli) is a command-line tool for Home Assistant. Up to 1.0.0 of home-assitant-cli an unrestricted environment was used to handle Jninja2 templates instead of a sandboxed one. The user-supplied input within Jinja2 templates was rendered locally with no restrictions. This gave users access to Python's internals and extended the scope of templating beyond the intended usage. This vulnerability is fixed in 1.0.0.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N
CVSS Score: 5.6

Attack Vector	Local	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	High
Privileges Required	High	Integrity Impact	High
User Interaction	Required	Availability Impact	None

CVSS 3.1

Product Status

Vendor	home-assistant-ecosystem
Product	home-assistant-cli
Versions	Version < 1.0.0 is affected

References

Problem Types

CWE-94: Improper Control of Generation of Code ('Code Injection') CWE
CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine CWE