Skip to main content

Home Assistant CVE-2026-33044

| EUVDEUVD-2026-16774 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-27 security-advisories@github.com GHSA-r584-6283-p7xc
7.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.3 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
A
Scope
X

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 27, 2026 - 20:22 euvd
EUVD-2026-16774
Analysis Generated
Mar 27, 2026 - 20:22 vuln.today
CVE Published
Mar 27, 2026 - 20:16 nvd
HIGH 7.3

DescriptionGitHub Advisory

Home Assistant is open source home automation software that puts local control and privacy first. Starting in version 2020.02 and prior to version 2026.01, an authenticated party can add a malicious name to their device entity, allowing for Cross-Site Scripting attacks against anyone who can see a dashboard with a Map-card which includes that entity. It requires that the victim hovers over an information point. Version 2026.01 fixes the issue.

AnalysisAI

Cross-site scripting in Home Assistant's Map card component allows authenticated users to inject malicious JavaScript through device entity names, executing arbitrary code in victims' browsers when they hover over map information points. Affects Home Assistant versions 2020.02 through 2026.0.x, with fix released in version 2026.01. No public exploit identified at time of analysis, though CVSS E:P indicates proof-of-concept code exists. EPSS data not available, but exploitation requires authenticated access and user interaction (hovering), limiting practical attack surface.

Technical ContextAI

This is a stored XSS vulnerability (CWE-79) in Home Assistant's dashboard rendering engine, specifically within the Map card component. The vulnerability stems from improper sanitization of user-controlled device entity names before rendering them in the web interface. When an authenticated user creates or modifies a device entity name to include malicious JavaScript, this payload is stored in the Home Assistant database. The XSS triggers when another user views a dashboard containing a Map card that includes the compromised entity and hovers over its information marker, causing the browser to execute the injected script in the victim's session context. The attack vector (AV:N) indicates network-based exploitation, but requires low-privileged authentication (PR:L) and active user interaction (UI:A) with specific UI elements. The vulnerability affects the core Home Assistant software (home-assistant/core repository), which serves as the central automation platform processing device states and rendering the web interface.

RemediationAI

Upgrade to Home Assistant Core version 2026.01 or later, which includes input sanitization fixes for device entity names rendered in Map card components. The patch addresses the root cause by implementing proper HTML encoding and XSS filtering before rendering user-controlled entity names in dashboard contexts. Organizations should prioritize upgrading instances with multiple authenticated users or those exposed to untrusted parties. As an interim workaround until patching, administrators can audit existing device entity names for suspicious JavaScript patterns (script tags, event handlers, data URIs) and sanitize or remove Map cards from shared dashboards. Review user account permissions to ensure principle of least privilege, limiting device entity modification rights to trusted administrators only. After upgrading, conduct security review of all device entity names created during the vulnerability window (2020.02 through pre-2026.01 versions) to identify and remediate any injected payloads. Full security advisory with technical details available at https://github.com/home-assistant/core/security/advisories/GHSA-r584-6283-p7xc.

CVE-2023-27482 CRITICAL POC
10.0 Mar 08

homeassistant is an open source home automation tool. Rated critical severity (CVSS 10.0), this vulnerability is remotel

CVE-2023-41897 CRITICAL
9.6 Oct 19

Home assistant is an open source home automation. Rated critical severity (CVSS 9.6), this vulnerability is remotely exp

CVE-2023-41895 CRITICAL
9.6 Oct 19

Home assistant is an open source home automation. Rated critical severity (CVSS 9.6), this vulnerability is remotely exp

CVE-2021-3152 MEDIUM POC
5.3 Jan 26

Home Assistant before 2021.1.3 does not have a protection layer that can help to prevent directory-traversal attacks aga

CVE-2023-41896 CRITICAL
9.0 Oct 19

Home assistant is an open source home automation. Rated critical severity (CVSS 9.0), this vulnerability is remotely exp

CVE-2023-50715 MEDIUM POC
4.3 Dec 15

Home Assistant is open source home automation software. Rated medium severity (CVSS 4.3), this vulnerability is no authe

CVE-2023-41899 HIGH
7.2 Oct 19

Home assistant is an open source home automation. Rated high severity (CVSS 7.2), this vulnerability is remotely exploit

CVE-2017-16782 MEDIUM
6.1 Nov 10

In Home Assistant before 0.57, it is possible to inject JavaScript code into a persistent notification via crafted Markd

CVE-2023-41893 MEDIUM
5.4 Oct 20

Home assistant is an open source home automation. Rated medium severity (CVSS 5.4), this vulnerability is remotely explo

CVE-2023-41894 MEDIUM
5.3 Oct 20

Home assistant is an open source home automation. Rated medium severity (CVSS 5.3), this vulnerability is remotely explo

Share

CVE-2026-33044 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy