Home Assistant is open source home automation software that puts local control and privacy first. Starting in version 2020.02 and prior to version 2026.01, an authenticated party can add a malicious name to their device entity, allowing for Cross-Site Scripting attacks against anyone who can see a dashboard with a Map-card which includes that entity. It requires that the victim hovers over an information point. Version 2026.01 fixes the issue.
{
"cwe_ids": [
"CWE-79"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33044.json",
"unresolved_ranges": [
{
"extracted_events": [
{
"introduced": "2020.02"
},
{
"fixed": "2026.01"
}
],
"source": "AFFECTED_FIELD"
}
],
"cna_assigner": "GitHub_M"
}{
"cpe": "cpe:2.3:a:home-assistant:home-assistant:*:*:*:*:*:*:*:*",
"extracted_events": [
{
"introduced": "2020.02"
},
{
"fixed": "2026.1.0"
}
],
"source": "CPE_RANGE"
}