Plataforma
other
Componente
core
Corrigido em
2026.01
CVE-2026-33044 describes a Cross-Site Scripting (XSS) vulnerability affecting Home Assistant, an open-source home automation platform. This vulnerability allows an authenticated attacker to inject malicious code via device entity names, potentially impacting users viewing dashboards with Map-card components. The vulnerability impacts versions 2020.02 and earlier, up to, but not including, version 2026.01. A fix is available in version 2026.01.
An attacker exploiting this vulnerability could inject malicious JavaScript code into a device entity name within Home Assistant. When a user views a dashboard containing a Map-card that includes this entity and hovers over the information point, the injected script executes in the user's browser. This could lead to various malicious actions, including stealing session cookies, redirecting users to phishing sites, or defacing the dashboard. The impact is limited to users who can view the affected dashboard and interact with the Map-card component. While the CVSS score is LOW, the potential for unauthorized access and data theft warrants prompt remediation.
CVE-2026-33044 was publicly disclosed on March 27, 2026. There is currently no indication of active exploitation or inclusion in the CISA KEV catalog. No public proof-of-concept (PoC) code has been released. The vulnerability's LOW severity rating and lack of public exploitation suggest a relatively low probability of near-term attacks.
Home Assistant users who have not upgraded to version 2026.01 or later are at risk. This includes users with dashboards containing Map-card components and who allow authenticated users to add or modify device entities. Shared hosting environments where multiple users share a Home Assistant instance are particularly vulnerable.
• linux / server: Examine Home Assistant logs for suspicious device entity name creations or modifications. Use journalctl -u home-assistant to filter for relevant events.
journalctl -u home-assistant | grep 'entity_name:'• generic web: Monitor Home Assistant dashboards for unexpected JavaScript behavior or redirects when hovering over Map-card entities. Inspect browser developer console for any unusual network requests or script errors.
disclosure
Status do Exploit
EPSS
0.03% (percentil 9%)
CISA SSVC
The primary mitigation for CVE-2026-33044 is to upgrade Home Assistant to version 2026.01 or later, which includes the fix for this vulnerability. If upgrading is not immediately feasible, consider restricting access to dashboards containing Map-cards to trusted users only. While a direct workaround to prevent the XSS injection is not available, carefully reviewing and sanitizing device entity names can reduce the attack surface. There are no specific WAF rules or detection signatures readily available for this particular XSS vulnerability, making timely patching the most effective defense.
Atualize o Home Assistant para a versão 2026.01 ou posterior. Esta versão corrige a vulnerabilidade XSS armazenada no Map-card.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-33044 is a Cross-Site Scripting (XSS) vulnerability in Home Assistant versions 2020.02 through 2026.01, allowing attackers to inject malicious code via device entity names.
You are affected if you are running Home Assistant versions 2020.02 to 2026.01 and have dashboards with Map-card components where authenticated users can add or modify device entities.
Upgrade Home Assistant to version 2026.01 or later to resolve the vulnerability. This includes the necessary security patch.
There is currently no indication of active exploitation of CVE-2026-33044.
Refer to the official Home Assistant security advisory for CVE-2026-33044 on the Home Assistant website.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.