DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-33045: CVE-2026-33045: Stored Cross-Site Scripting in Home Assistant History-Graph Card

#security #cve #cybersecurity

CVE-2026-33045: Stored Cross-Site Scripting in Home Assistant History-Graph Card

Vulnerability ID: CVE-2026-33045
CVSS Score: 7.3
Published: 2026-03-27

A Stored Cross-Site Scripting (XSS) vulnerability exists in the Home Assistant frontend, specifically within the History-graph card component. The flaw allows authenticated users with low privileges or malicious third-party integrations to inject arbitrary JavaScript via unescaped entity names. This script executes when a victim hovers over the associated graph, potentially leading to full account takeover.

TL;DR

Stored XSS in Home Assistant's History-graph card allows attackers to execute arbitrary JavaScript via manipulated sensor names, leading to session hijacking.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-79
  • Attack Vector: Network
  • CVSS v4.0 Score: 7.3 (High)
  • EPSS Score: 0.00047 (14.49%)
  • Impact: Confidentiality, Integrity, Availability (High)
  • Exploit Status: Proof-of-Concept Available
  • CISA KEV Status: Not Listed

Affected Systems

  • Home Assistant Core
  • Home Assistant Frontend
  • History-graph card (ha-chart-base)
  • Home Assistant Core / Frontend: 2025.02 to <2026.01 (Fixed in: 2026.01)

Exploit Details

  • Research Report: Stored XSS payload injected into sensor friendly_name triggered via Chart.js tooltip hover

Mitigation Strategies

  • Upgrade to patched software version
  • Audit database for anomalous sensor names containing HTML elements
  • Implement strict Content Security Policy (CSP)

Remediation Steps:

  1. Navigate to the Home Assistant settings and verify the current installation version.
  2. Update Home Assistant Core to version 2026.01 or later using the built-in update functionality or container redeployment.
  3. Review the entity registry for suspicious names, particularly those linked to external integrations like Android Auto.
  4. Remove or rename any sensors containing <script>, <img>, <iframe>, or other HTML control characters.
  5. Monitor network traffic for unauthorized outbound requests originating from the dashboard.

References

Read the full report for CVE-2026-33045 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)