CVE-2026-33044
Received Received - Intake
Cross-Site Scripting in Home Assistant Map-Card Entity Names

Publication date: 2026-03-27

Last updated on: 2026-03-31

Assigner: GitHub, Inc.

Description
Home Assistant is open source home automation software that puts local control and privacy first. Starting in version 2020.02 and prior to version 2026.01, an authenticated party can add a malicious name to their device entity, allowing for Cross-Site Scripting attacks against anyone who can see a dashboard with a Map-card which includes that entity. It requires that the victim hovers over an information point. Version 2026.01 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-27
Last Modified
2026-03-31
Generated
2026-06-16
AI Q&A
2026-03-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33044
EUVD
EUVD-2026-16774
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
home-assistant home-assistant From 2020.02 (inc) to 2026.1.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can lead to client-side exploitation such as account takeover by executing malicious scripts in the victim's browser.

Since the attack requires an authenticated attacker to set a malicious device name, it can be triggered by invited users or through social engineering.

The impact includes unauthorized access to user accounts and potential compromise of sensitive information displayed or accessible through the dashboard.

Executive Summary

CVE-2026-33044 is a stored Cross-Site Scripting (XSS) vulnerability in the Home Assistant core, specifically affecting the map-card component used in dashboards.

An authenticated user can assign a malicious name to a device entity that appears on a map-card showing device movement history. When another user views the dashboard and hovers over the device's movement points, the malicious script executes in their browser.

This allows the attacker to inject and run arbitrary HTML or JavaScript code in the context of the victim's browser, potentially leading to further exploitation.

Detection Guidance

This vulnerability can be detected by checking if any device entities in your Home Assistant instance have names containing malicious or suspicious HTML/JavaScript code, especially those displayed on dashboards using the map-card component with the "hours_to_show" attribute set.

Since the attack requires an authenticated user to add or rename a device entity with a location sensor, you can audit recent changes to device entity names for suspicious input.

There are no specific commands provided to detect this vulnerability directly, but you can use Home Assistant's developer tools or API to list device entities and inspect their names for suspicious scripts.

  • Use Home Assistant's REST API or developer tools to list all device entities and review their names.
  • Manually inspect device names for embedded HTML or JavaScript code.
  • Monitor dashboard usage of the map-card component with the "hours_to_show" attribute.
Mitigation Strategies

The immediate mitigation step is to upgrade Home Assistant to version 2026.01 or later, where this vulnerability has been fixed.

Additionally, restrict authenticated user permissions to prevent unauthorized renaming or adding of device entities.

Review and sanitize device entity names to remove any potentially malicious scripts.

  • Upgrade Home Assistant to version 2026.01 or newer.
  • Limit user permissions to trusted users only.
  • Audit and clean device entity names to remove malicious content.
Compliance Impact

The vulnerability allows an authenticated attacker to perform Cross-Site Scripting (XSS) attacks by injecting malicious code into device entity names, which can lead to client-side exploitation such as account takeover. This kind of security flaw can potentially compromise user data privacy and system integrity.

While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, vulnerabilities that enable unauthorized code execution and potential account takeover can increase the risk of data breaches and unauthorized access to personal or sensitive information, thereby impacting compliance with such regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33044. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart