Description
Home Assistant is open source home automation software that puts local control and privacy first. Starting in version 2020.02 and prior to version 2026.01, an authenticated party can add a malicious name to their device entity, allowing for Cross-Site Scripting attacks against anyone who can see a dashboard with a Map-card which includes that entity. It requires that the victim hovers over an information point. Version 2026.01 fixes the issue.
Published: 2026-03-27
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting in Map‑card
Action: Immediate Patch
AI Analysis

Impact

An authenticated user can store a malicious name in a device entity, causing a stored cross‑site scripting condition on any dashboard using a Map‑card that displays that entity. The script runs when a viewer hovers over the information point, potentially executing arbitrary code in the victim’s browser and exposing confidential information or hijacking the session. This is a classic stored XSS flaw classified as CWE‑79.

Affected Systems

Home Assistant core is affected for all releases from 2020.02 up to, but not including, 2026.01. Versions 2026.01 and later contain the fix and are not vulnerable.

Risk and Exploitability

The CVSS score of 7.3 indicates high severity. The EPSS score of less than 1% implies a low probability of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to have credentials to create or modify a device name and a victim who views a Map‑card with that device, indicating that the attack vector is authenticated followed by victim interaction (“hovers over an information point”).

Generated by OpenCVE AI on March 31, 2026 at 15:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Home Assistant 2026.01 or newer.
  • If immediate upgrade is not feasible, review device names on the Map‑card and remove any script tags or malicious content.

Generated by OpenCVE AI on March 31, 2026 at 15:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-r584-6283-p7xc Home Assistant has stored XSS in Map-card through malicious device name
History

Thu, 02 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Home-assistant home-assistant
CPEs cpe:2.3:a:home-assistant:home-assistant:*:*:*:*:*:*:*:*
Vendors & Products Home-assistant home-assistant
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Home-assistant
Home-assistant core
Vendors & Products Home-assistant
Home-assistant core

Fri, 27 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
Description Home Assistant is open source home automation software that puts local control and privacy first. Starting in version 2020.02 and prior to version 2026.01, an authenticated party can add a malicious name to their device entity, allowing for Cross-Site Scripting attacks against anyone who can see a dashboard with a Map-card which includes that entity. It requires that the victim hovers over an information point. Version 2026.01 fixes the issue.
Title Home Assistant has stored XSS in Map-card through malicious device name
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 7.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P'}

Subscriptions

Home-assistant Core Home-assistant
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-02T13:08:11.661Z

Reserved: 2026-03-17T18:10:50.211Z

Link: CVE-2026-33044

cve-icon Vulnrichment

Updated: 2026-03-31T13:50:55.726Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T20:16:30.980

Modified: 2026-03-31T15:42:30.977

Link: CVE-2026-33044

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:00:48Z

Weaknesses