An authenticated user can inject malicious JavaScript into the name of a device entity in Home Assistant. When the edited device appears on a dashboard that contains a Map‑card, the script executes in the browser of any user who views the card. This can hijack the user session, steal session cookies, or perform actions on behalf of the victim. The flaw is a stored Cross‑Site Scripting vulnerability (CWE‑79) that compromises confidentiality, integrity, and availability of user sessions.

All Home Assistant core installations from release 2020.02 up to, but not including, 2026.01 are vulnerable. The issue resides in the map‑card component that displays devices on the dashboard. Installations that allow authenticated users to add or modify device names are at risk because the malicious name is stored and later rendered to others who view the dashboard.

With a CVSS score of 7.3, the vulnerability falls into the high‑severity range. Exploitation requires legitimate authentication and the victim to view a dashboard containing the malicious device; hovering over the device icon triggers the exploit. While it does not allow remote code execution on the host, the impact on user accounts can be significant. EPSS data is unavailable and the flaw has not yet appeared in the CISA KEV catalog. Nonetheless, authenticated social engineering and the potential for widespread dashboard exposure make this a concrete threat for installations with broad user privileges.