Medium severity5.4NVD Advisory· Published Mar 27, 2026· Updated Mar 31, 2026
CVE-2026-33044
CVE-2026-33044
Description
Home Assistant is open source home automation software that puts local control and privacy first. Starting in version 2020.02 and prior to version 2026.01, an authenticated party can add a malicious name to their device entity, allowing for Cross-Site Scripting attacks against anyone who can see a dashboard with a Map-card which includes that entity. It requires that the victim hovers over an information point. Version 2026.01 fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
homeassistantPyPI | >= 2020.02, < 2026.01 | 2026.01 |
Affected products
2- cpe:2.3:a:home-assistant:home-assistant:*:*:*:*:*:*:*:*Range: >=2020.02,<2026.1.0
Patches
Vulnerability mechanics
References
3- github.com/home-assistant/core/security/advisories/GHSA-r584-6283-p7xcnvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-r584-6283-p7xcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33044ghsaADVISORY
News mentions
0No linked articles in our index yet.