CVE-2026-33044 is a cross-site scripting (XSS) vulnerability classified under CWE-79 affecting the Home Assistant core software, an open-source home automation platform emphasizing local control and privacy. The flaw exists in versions starting from 2020.02 up to but not including 2026.01. The vulnerability arises because the software improperly neutralizes input during web page generation, specifically when rendering device entity names on the Map-card dashboard component. An authenticated attacker can add a maliciously crafted name to their device entity. When any user views a dashboard containing this Map-card and hovers over the information point associated with the malicious entity, the embedded script executes in the victim's browser context. This can lead to session hijacking, unauthorized actions, or data theft. Exploitation requires the attacker to have at least low-level authenticated access to the Home Assistant instance and the victim to perform a hover action, which is a form of user interaction. The vulnerability has a CVSS 4.0 base score of 7.3, reflecting high severity due to network attack vector, low attack complexity, partial authentication required, and significant impact on confidentiality, integrity, and availability. The issue was publicly disclosed on March 27, 2026, and fixed in version 2026.01. No known exploits in the wild have been reported yet. The vulnerability highlights the risk of insufficient input sanitization in dynamic web UI components within home automation platforms, which can be leveraged to compromise users' security and privacy.

This vulnerability poses a significant risk to organizations and individuals using Home Assistant for home or enterprise automation. Successful exploitation can lead to unauthorized script execution in the context of legitimate users, enabling theft of sensitive information such as authentication tokens, session cookies, or personal data displayed on dashboards. Attackers could manipulate the user interface or perform actions on behalf of victims, potentially disrupting automation workflows or causing denial of service. Since Home Assistant is often integrated with critical home and building systems (e.g., security cameras, alarms, HVAC), compromise could extend to physical security risks. The requirement for authenticated access limits exposure to insiders or compromised accounts, but the widespread use of Home Assistant in smart homes and small businesses increases the attack surface. Organizations relying on Home Assistant dashboards for monitoring and control should consider the risk of lateral movement or privilege escalation if attackers leverage this XSS to gain further footholds. Although no active exploits are known, the vulnerability's presence in many versions over several years means many deployments remain at risk until patched.

1. Upgrade all Home Assistant instances to version 2026.01 or later, where the vulnerability is fixed. 2. Restrict device entity creation and renaming permissions to trusted, authenticated users only, minimizing the risk of malicious input injection. 3. Implement Content Security Policy (CSP) headers on the Home Assistant web interface to reduce the impact of XSS by restricting script execution sources. 4. Educate users to avoid hovering over suspicious or unknown entities on dashboards until patches are applied. 5. Regularly audit entity names and dashboard configurations for unexpected or suspicious entries. 6. Monitor Home Assistant logs for unusual authentication or entity modification activities that could indicate attempted exploitation. 7. Consider network segmentation to isolate Home Assistant instances from critical infrastructure to limit potential lateral movement. 8. Employ web application firewalls (WAFs) with rules targeting XSS payload patterns if feasible in the deployment environment. These measures combined reduce the likelihood and impact of exploitation beyond simply applying the patch.