CVE-2026-33044: Stored Cross-Site Scripting in Home Assistant Map-Card
Vulnerability ID: CVE-2026-33044
CVSS Score: 7.3
Published: 2026-03-27
Home Assistant versions prior to 2026.01 are vulnerable to a stored Cross-Site Scripting (XSS) flaw in the Map-card component. An authenticated attacker can inject malicious JavaScript into an entity name, which executes when a victim hovers over historical movement data points in the dashboard.
TL;DR
A stored XSS vulnerability in the Home Assistant Map-card allows authenticated attackers to execute arbitrary JavaScript in a victim's browser context by injecting HTML payloads into device entity names.
⚠️ Exploit Status: POC
Technical Details
- CVE ID: CVE-2026-33044
- CWE ID: CWE-79
- Attack Vector: Network
- CVSS 4.0 Score: 7.3
- Impact: Account Takeover / Session Hijacking
- Exploit Status: PoC Available
- CISA KEV Status: Not Listed
Affected Systems
- Home Assistant Core
- Home Assistant Frontend
-
homeassistant: >= 2020.02, < 2026.01 (Fixed in:
2026.01)
Exploit Details
- GitHub Security Advisory: Proof of concept outlining device renaming and dashboard configuration.
Mitigation Strategies
- Upgrade Home Assistant to version 2026.01.
- Disable the
hours_to_showproperty in Map-card configurations until patched. - Enforce strict HTML output encoding for all user-controlled data in frontend components.
- Audit existing entity names for unauthorized modifications or HTML payloads.
Remediation Steps:
- Access the Home Assistant administrative interface.
- Navigate to Settings > System > Updates.
- Identify the pending update for Home Assistant Core version 2026.01.
- Initiate the backup process to secure the current configuration.
- Apply the update and monitor the system logs during the restart process.
- Verify the application version displays 2026.01 in the 'About' section.
References
- GitHub Security Advisory GHSA-r584-6283-p7xc
- NVD Vulnerability Detail CVE-2026-33044
- CVE Record
- OSV Database Entry
- Researcher Advisory (Robin Lunde)
Read the full report for CVE-2026-33044 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)