Medium severity5.4NVD Advisory· Published Mar 27, 2026· Updated Mar 31, 2026
CVE-2026-33044
CVE-2026-33044
Description
Home Assistant is open source home automation software that puts local control and privacy first. Starting in version 2020.02 and prior to version 2026.01, an authenticated party can add a malicious name to their device entity, allowing for Cross-Site Scripting attacks against anyone who can see a dashboard with a Map-card which includes that entity. It requires that the victim hovers over an information point. Version 2026.01 fixes the issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
homeassistantPyPI | >= 2020.02, < 2026.01 | 2026.01 |
Affected products
1- cpe:2.3:a:home-assistant:home-assistant:*:*:*:*:*:*:*:*Range: >=2020.02,<2026.1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/home-assistant/core/security/advisories/GHSA-r584-6283-p7xcnvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-r584-6283-p7xcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33044ghsaADVISORY
News mentions
0No linked articles in our index yet.