CVE-2026-33044
Home Assistant has stored XSS in Map-card through malicious device name
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
9th
Home Assistant is open source home automation software that puts local control and privacy first. Starting in version 2020.02 and prior to version 2026.01, an authenticated party can add a malicious name to their device entity, allowing for Cross-Site Scripting attacks against anyone who can see a dashboard with a Map-card which includes that entity. It requires that the victim hovers over an information point. Version 2026.01 fixes the issue.
| CWE | CWE-79 |
| Vendor | home-assistant |
| Product | core |
| Published | Mar 27, 2026 |
| Last Updated | Apr 2, 2026 |
Stay Ahead of the Next One
Get instant alerts for home-assistant core
Be the first to know when new unknown vulnerabilities affecting home-assistant core are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
home-assistant / core
>= 2020.02, < 2026.01