Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
Home Assistant is open source home automation software that puts local control and privacy first. Starting in version 2020.02 and prior to version 2026.01, an authenticated party can add a malicious name to their device entity, allowing for Cross-Site Scripting attacks against anyone who can see a dashboard with a Map-card which includes that entity. It requires that the victim hovers over an information point. Version 2026.01 fixes the issue.
AnalysisAI
Cross-site scripting in Home Assistant's Map card component allows authenticated users to inject malicious JavaScript through device entity names, executing arbitrary code in victims' browsers when they hover over map information points. Affects Home Assistant versions 2020.02 through 2026.0.x, with fix released in version 2026.01. No public exploit identified at time of analysis, though CVSS E:P indicates proof-of-concept code exists. EPSS data not available, but exploitation requires authenticated access and user interaction (hovering), limiting practical attack surface.
Technical ContextAI
This is a stored XSS vulnerability (CWE-79) in Home Assistant's dashboard rendering engine, specifically within the Map card component. The vulnerability stems from improper sanitization of user-controlled device entity names before rendering them in the web interface. When an authenticated user creates or modifies a device entity name to include malicious JavaScript, this payload is stored in the Home Assistant database. The XSS triggers when another user views a dashboard containing a Map card that includes the compromised entity and hovers over its information marker, causing the browser to execute the injected script in the victim's session context. The attack vector (AV:N) indicates network-based exploitation, but requires low-privileged authentication (PR:L) and active user interaction (UI:A) with specific UI elements. The vulnerability affects the core Home Assistant software (home-assistant/core repository), which serves as the central automation platform processing device states and rendering the web interface.
RemediationAI
Upgrade to Home Assistant Core version 2026.01 or later, which includes input sanitization fixes for device entity names rendered in Map card components. The patch addresses the root cause by implementing proper HTML encoding and XSS filtering before rendering user-controlled entity names in dashboard contexts. Organizations should prioritize upgrading instances with multiple authenticated users or those exposed to untrusted parties. As an interim workaround until patching, administrators can audit existing device entity names for suspicious JavaScript patterns (script tags, event handlers, data URIs) and sanitize or remove Map cards from shared dashboards. Review user account permissions to ensure principle of least privilege, limiting device entity modification rights to trusted administrators only. After upgrading, conduct security review of all device entity names created during the vulnerability window (2020.02 through pre-2026.01 versions) to identify and remediate any injected payloads. Full security advisory with technical details available at https://github.com/home-assistant/core/security/advisories/GHSA-r584-6283-p7xc.
More in Home Assistant
View allhomeassistant is an open source home automation tool. Rated critical severity (CVSS 10.0), this vulnerability is remotel
Home assistant is an open source home automation. Rated critical severity (CVSS 9.6), this vulnerability is remotely exp
Home assistant is an open source home automation. Rated critical severity (CVSS 9.6), this vulnerability is remotely exp
Home Assistant before 2021.1.3 does not have a protection layer that can help to prevent directory-traversal attacks aga
Home assistant is an open source home automation. Rated critical severity (CVSS 9.0), this vulnerability is remotely exp
Home Assistant is open source home automation software. Rated medium severity (CVSS 4.3), this vulnerability is no authe
Home assistant is an open source home automation. Rated high severity (CVSS 7.2), this vulnerability is remotely exploit
In Home Assistant before 0.57, it is possible to inject JavaScript code into a persistent notification via crafted Markd
Home assistant is an open source home automation. Rated medium severity (CVSS 5.4), this vulnerability is remotely explo
Home assistant is an open source home automation. Rated medium severity (CVSS 5.3), this vulnerability is remotely explo
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16774
GHSA-r584-6283-p7xc