CVE-2026-33044

Name of the Vulnerable Software and Affected Versions Home Assistant versions 2020.02 through 2026.01

Description Home Assistant, an open-source home automation software, contains a flaw where an authenticated user can inject malicious code into a device entity name. This allows for Cross-Site Scripting (XSS) attacks against other users who view a dashboard containing a Map-card that includes the compromised entity. The attack requires the victim to hover over an information point on the map. The issue is similar to a previously documented issue but affects entities displayed in a Map, rather than an energy dashboard. The impact of this flaw allows a user to potentially target other users and perform account takeover through client-side exploitation.

Recommendations Update to version 2026.01 or later.