Can you explain this vulnerability to me?

CVE-2026-33044 is a stored Cross-Site Scripting (XSS) vulnerability in the Home Assistant core, specifically affecting the map-card component used in dashboards.

An authenticated user can assign a malicious name to a device entity that appears on a map-card showing device movement history. When another user views the dashboard and hovers over the device's movement points, the malicious script executes in their browser.

This allows the attacker to inject and run arbitrary HTML or JavaScript code in the context of the victim's browser, potentially leading to further exploitation.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by checking if any device entities in your Home Assistant instance have names containing malicious or suspicious HTML/JavaScript code, especially those displayed on dashboards using the map-card component with the "hours_to_show" attribute set.

Since the attack requires an authenticated user to add or rename a device entity with a location sensor, you can audit recent changes to device entity names for suspicious input.

There are no specific commands provided to detect this vulnerability directly, but you can use Home Assistant's developer tools or API to list device entities and inspect their names for suspicious scripts.

• Use Home Assistant's REST API or developer tools to list all device entities and review their names.
• Manually inspect device names for embedded HTML or JavaScript code.
• Monitor dashboard usage of the map-card component with the "hours_to_show" attribute.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade Home Assistant to version 2026.01 or later, where this vulnerability has been fixed.

Additionally, restrict authenticated user permissions to prevent unauthorized renaming or adding of device entities.

Review and sanitize device entity names to remove any potentially malicious scripts.

• Upgrade Home Assistant to version 2026.01 or newer.
• Limit user permissions to trusted users only.
• Audit and clean device entity names to remove malicious content.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability allows an authenticated attacker to perform Cross-Site Scripting (XSS) attacks by injecting malicious code into device entity names, which can lead to client-side exploitation such as account takeover. This kind of security flaw can potentially compromise user data privacy and system integrity.

While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, vulnerabilities that enable unauthorized code execution and potential account takeover can increase the risk of data breaches and unauthorized access to personal or sensitive information, thereby impacting compliance with such regulations.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can lead to client-side exploitation such as account takeover by executing malicious scripts in the victim's browser.

Since the attack requires an authenticated attacker to set a malicious device name, it can be triggered by invited users or through social engineering.

The impact includes unauthorized access to user accounts and potential compromise of sensitive information displayed or accessible through the dashboard.

Useful 0 Not Useful 0