Platform
other
Component
core
Fixed in
2026.01
CVE-2026-33044 describes a Cross-Site Scripting (XSS) vulnerability affecting Home Assistant, an open-source home automation platform. This vulnerability allows an authenticated attacker to inject malicious code via device entity names, potentially impacting users viewing dashboards with Map-card components. The vulnerability impacts versions 2020.02 and earlier, up to, but not including, version 2026.01. A fix is available in version 2026.01.
An attacker exploiting this vulnerability could inject malicious JavaScript code into a device entity name within Home Assistant. When a user views a dashboard containing a Map-card that includes this entity and hovers over the information point, the injected script executes in the user's browser. This could lead to various malicious actions, including stealing session cookies, redirecting users to phishing sites, or defacing the dashboard. The impact is limited to users who can view the affected dashboard and interact with the Map-card component. While the CVSS score is LOW, the potential for unauthorized access and data theft warrants prompt remediation.
CVE-2026-33044 was publicly disclosed on March 27, 2026. There is currently no indication of active exploitation or inclusion in the CISA KEV catalog. No public proof-of-concept (PoC) code has been released. The vulnerability's LOW severity rating and lack of public exploitation suggest a relatively low probability of near-term attacks.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
The primary mitigation for CVE-2026-33044 is to upgrade Home Assistant to version 2026.01 or later, which includes the fix for this vulnerability. If upgrading is not immediately feasible, consider restricting access to dashboards containing Map-cards to trusted users only. While a direct workaround to prevent the XSS injection is not available, carefully reviewing and sanitizing device entity names can reduce the attack surface. There are no specific WAF rules or detection signatures readily available for this particular XSS vulnerability, making timely patching the most effective defense.
Actualice Home Assistant a la versión 2026.01 o posterior. Esta versión corrige la vulnerabilidad XSS almacenada en la tarjeta de mapa.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33044 is a Cross-Site Scripting (XSS) vulnerability in Home Assistant versions 2020.02 through 2026.01, allowing attackers to inject malicious code via device entity names.
You are affected if you are running Home Assistant versions 2020.02 to 2026.01 and have dashboards with Map-card components where authenticated users can add or modify device entities.
Upgrade Home Assistant to version 2026.01 or later to resolve the vulnerability. This includes the necessary security patch.
There is currently no indication of active exploitation of CVE-2026-33044.
Refer to the official Home Assistant security advisory for CVE-2026-33044 on the Home Assistant website.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.