{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33044", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T18:10:50.211Z", "datePublished": "2026-03-27T19:35:45.728Z", "dateUpdated": "2026-03-27T19:35:45.728Z"}, "containers": {"cna": {"title": "Home Assistant has stored XSS in Map-card through malicious device name", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/home-assistant/core/security/advisories/GHSA-r584-6283-p7xc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/home-assistant/core/security/advisories/GHSA-r584-6283-p7xc"}], "affected": [{"vendor": "home-assistant", "product": "core", "versions": [{"version": ">= 2020.02, < 2026.01", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T19:35:45.728Z"}, "descriptions": [{"lang": "en", "value": "Home Assistant is open source home automation software that puts local control and privacy first. Starting in version 2020.02 and prior to version 2026.01, an authenticated party can add a malicious name to their device entity, allowing for Cross-Site Scripting attacks against anyone who can see a dashboard with a Map-card which includes that entity. It requires that the victim hovers over an information point. Version 2026.01 fixes the issue."}], "source": {"advisory": "GHSA-r584-6283-p7xc", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Home Assistant is open source home automation software that puts local control and privacy first. Starting in version 2020.02 and prior to version 2026.01, an authenticated party can add a malicious name to their device entity, allowing for Cross-Site Scripting attacks against anyone who can see a dashboard with a Map-card which includes that entity. It requires that the victim hovers over an information point. Version 2026.01 fixes the issue."}], "id": "CVE-2026-33044", "lastModified": "2026-03-30T13:26:29.793", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T20:16:30.980", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/home-assistant/core/security/advisories/GHSA-r584-6283-p7xc"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[2020.02,2026.01)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "core", "source": "cna", "vendor": "home-assistant"}, "product": "core", "vendor": "home-assistant"}], "analysis": {"en": {"generated_at": "2026-03-27T21:38:23.139519+00:00", "value": {"mitigation_remediation": ["Upgrade Home Assistant to version 2026.01 or newer."], "summary": {"action": "Apply Patch", "impact": "Cross\u2011Site Scripting via device name in Map\u2011card"}, "threat_synthesis": {"affected_systems": "All Home\u00a0Assistant core installations from release 2020.02 up to, but not including, 2026.01 are vulnerable. The issue resides in the map\u2011card component that displays devices on the dashboard. Installations that allow authenticated users to add or modify device names are at risk because the malicious name is stored and later rendered to others who view the dashboard.", "description_and_impact": "An authenticated user can inject malicious JavaScript into the name of a device entity in Home Assistant. When the edited device appears on a dashboard that contains a Map\u2011card, the script executes in the browser of any user who views the card. This can hijack the user session, steal session cookies, or perform actions on behalf of the victim. The flaw is a stored Cross\u2011Site Scripting vulnerability (CWE\u201179) that compromises confidentiality, integrity, and availability of user sessions.", "risk_and_exploitability": "With a CVSS score of 7.3, the vulnerability falls into the high\u2011severity range. Exploitation requires legitimate authentication and the victim to view a dashboard containing the malicious device; hovering over the device icon triggers the exploit. While it does not allow remote code execution on the host, the impact on user accounts can be significant. EPSS data is unavailable and the flaw has not yet appeared in the CISA KEV catalog. Nonetheless, authenticated social engineering and the potential for widespread dashboard exposure make this a concrete threat for installations with broad user privileges."}}}}, "created": "2026-03-29T20:30:27.179150+00:00", "updated": "2026-03-30T07:00:40.716796+00:00", "vendors": ["home-assistant", "home-assistant$PRODUCT$core"]}