CVE-2026-33044: CVE-2026-33044: Stored Cross-Site Scripting in Home Assistant Map-Card

# security# cve# cybersecurity
CVE-2026-33044: CVE-2026-33044: Stored Cross-Site Scripting in Home Assistant Map-CardCVE Reports

CVE-2026-33044: Stored Cross-Site Scripting in Home Assistant Map-Card Vulnerability ID:...

CVE-2026-33044: Stored Cross-Site Scripting in Home Assistant Map-Card

Vulnerability ID: CVE-2026-33044
CVSS Score: 7.3
Published: 2026-03-27

Home Assistant versions prior to 2026.01 are vulnerable to a stored Cross-Site Scripting (XSS) flaw in the Map-card component. An authenticated attacker can inject malicious JavaScript into an entity name, which executes when a victim hovers over historical movement data points in the dashboard.

TL;DR

A stored XSS vulnerability in the Home Assistant Map-card allows authenticated attackers to execute arbitrary JavaScript in a victim's browser context by injecting HTML payloads into device entity names.

⚠️ Exploit Status: POC

Technical Details

  • CVE ID: CVE-2026-33044
  • CWE ID: CWE-79
  • Attack Vector: Network
  • CVSS 4.0 Score: 7.3
  • Impact: Account Takeover / Session Hijacking
  • Exploit Status: PoC Available
  • CISA KEV Status: Not Listed

Affected Systems

  • Home Assistant Core
  • Home Assistant Frontend
  • homeassistant: >= 2020.02, < 2026.01 (Fixed in: 2026.01)

Exploit Details

Mitigation Strategies

  • Upgrade Home Assistant to version 2026.01.
  • Disable the hours_to_show property in Map-card configurations until patched.
  • Enforce strict HTML output encoding for all user-controlled data in frontend components.
  • Audit existing entity names for unauthorized modifications or HTML payloads.

Remediation Steps:

  1. Access the Home Assistant administrative interface.
  2. Navigate to Settings > System > Updates.
  3. Identify the pending update for Home Assistant Core version 2026.01.
  4. Initiate the backup process to secure the current configuration.
  5. Apply the update and monitor the system logs during the restart process.
  6. Verify the application version displays 2026.01 in the 'About' section.

References

Read the full report for CVE-2026-33044 on our website for more details including interactive diagrams and full exploit analysis.