LOWCVE-2026-33044CVSS 2.5

Home Assistant में मैलिशियस डिवाइस नाम के माध्यम से मैप-कार्ड में संग्रहीत (Stored) XSS है

Q: What is CVE-2026-33044 — XSS in Home Assistant?

CVE-2026-33044 is a Cross-Site Scripting (XSS) vulnerability in Home Assistant versions 2020.02 through 2026.01, allowing attackers to inject malicious code via device entity names.

Q: Am I affected by CVE-2026-33044 in Home Assistant?

You are affected if you are running Home Assistant versions 2020.02 to 2026.01 and have dashboards with Map-card components where authenticated users can add or modify device entities.

Q: How do I fix CVE-2026-33044 in Home Assistant?

Upgrade Home Assistant to version 2026.01 or later to resolve the vulnerability. This includes the necessary security patch.

Q: Is CVE-2026-33044 being actively exploited?

There is currently no indication of active exploitation of CVE-2026-33044.

Q: Where can I find the official Home Assistant advisory for CVE-2026-33044?

Refer to the official Home Assistant security advisory for CVE-2026-33044 on the Home Assistant website.

प्लेटफ़ॉर्म

other

घटक

core

में ठीक किया गया

2026.01

AI Confidence: highNVDEPSS 0.0%समीक्षित: मई 2026

NVD पर देखें

सहेजें

आपकी भाषा में अनुवाद हो रहा है…

CVE-2026-33044 describes a Cross-Site Scripting (XSS) vulnerability affecting Home Assistant, an open-source home automation platform. This vulnerability allows an authenticated attacker to inject malicious code via device entity names, potentially impacting users viewing dashboards with Map-card components. The vulnerability impacts versions 2020.02 and earlier, up to, but not including, version 2026.01. A fix is available in version 2026.01.

प्रभाव और हमले की स्थितियाँअनुवाद हो रहा है…

An attacker exploiting this vulnerability could inject malicious JavaScript code into a device entity name within Home Assistant. When a user views a dashboard containing a Map-card that includes this entity and hovers over the information point, the injected script executes in the user's browser. This could lead to various malicious actions, including stealing session cookies, redirecting users to phishing sites, or defacing the dashboard. The impact is limited to users who can view the affected dashboard and interact with the Map-card component. While the CVSS score is LOW, the potential for unauthorized access and data theft warrants prompt remediation.

शोषण संदर्भअनुवाद हो रहा है…

CVE-2026-33044 was publicly disclosed on March 27, 2026. There is currently no indication of active exploitation or inclusion in the CISA KEV catalog. No public proof-of-concept (PoC) code has been released. The vulnerability's LOW severity rating and lack of public exploitation suggest a relatively low probability of near-term attacks.

कौन जोखिम में हैअनुवाद हो रहा है…

Home Assistant users who have not upgraded to version 2026.01 or later are at risk. This includes users with dashboards containing Map-card components and who allow authenticated users to add or modify device entities. Shared hosting environments where multiple users share a Home Assistant instance are particularly vulnerable.

पहचान के चरणअनुवाद हो रहा है…

• linux / server: Examine Home Assistant logs for suspicious device entity name creations or modifications. Use journalctl -u home-assistant to filter for relevant events.

journalctl -u home-assistant | grep 'entity_name:'

• generic web: Monitor Home Assistant dashboards for unexpected JavaScript behavior or redirects when hovering over Map-card entities. Inspect browser developer console for any unusual network requests or script errors.

हमले की समयरेखा

2026-03-27Disclosure
disclosure

खतरा खुफिया

एक्सप्लॉइट स्थिति

प्रूफ ऑफ कॉन्सेप्टअज्ञात

CISA KEVNO

रिपोर्ट1 खतरा रिपोर्ट

EPSS

0.03% (9% शतमक)

CISA SSVC

शोषणpoc

स्वचालनीयno

तकनीकी प्रभावtotal

प्रभावित सॉफ्टवेयर

घटकcore

विक्रेताhome-assistant

प्रभावित श्रेणीमें ठीक किया गया

>= 2020.02, < 2026.01 – >= 2020.02, < 2026.01—

कमजोरी वर्गीकरण (CWE)

CWE-79

समयरेखा

आरक्षित2026-03-17
प्रकाशित2026-03-27
संशोधित2026-04-02
EPSS अद्यतन2026-04-04

शमन और वर्कअराउंडअनुवाद हो रहा है…

The primary mitigation for CVE-2026-33044 is to upgrade Home Assistant to version 2026.01 or later, which includes the fix for this vulnerability. If upgrading is not immediately feasible, consider restricting access to dashboards containing Map-cards to trusted users only. While a direct workaround to prevent the XSS injection is not available, carefully reviewing and sanitizing device entity names can reduce the attack surface. There are no specific WAF rules or detection signatures readily available for this particular XSS vulnerability, making timely patching the most effective defense.

कैसे ठीक करें

Home Assistant को संस्करण 2026.01 या बाद के संस्करण में अपडेट करें। यह संस्करण मैप कार्ड में संग्रहीत XSS भेद्यता को ठीक करता है।

CVE सुरक्षा न्यूज़लेटर

भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।

अक्सर पूछे जाने वाले सवालअनुवाद हो रहा है…

What is CVE-2026-33044 — XSS in Home Assistant?

CVE-2026-33044 is a Cross-Site Scripting (XSS) vulnerability in Home Assistant versions 2020.02 through 2026.01, allowing attackers to inject malicious code via device entity names.

Am I affected by CVE-2026-33044 in Home Assistant?

You are affected if you are running Home Assistant versions 2020.02 to 2026.01 and have dashboards with Map-card components where authenticated users can add or modify device entities.

How do I fix CVE-2026-33044 in Home Assistant?

Upgrade Home Assistant to version 2026.01 or later to resolve the vulnerability. This includes the necessary security patch.

Is CVE-2026-33044 being actively exploited?

There is currently no indication of active exploitation of CVE-2026-33044.

Where can I find the official Home Assistant advisory for CVE-2026-33044?

Refer to the official Home Assistant security advisory for CVE-2026-33044 on the Home Assistant website.

क्या आपका प्रोजेक्ट प्रभावित है?

अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।

मुफ्त स्कैन करें CVE खोजें