CVE-2026-33044

Source
https://cve.org/CVERecord?id=CVE-2026-33044
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33044.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-33044
Aliases
Published
2026-03-27T19:35:45.728Z
Modified
2026-07-15T01:48:51.827457758Z
Severity
  • 7.3 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P CVSS Calculator
Summary
Home Assistant has stored XSS in Map-card through malicious device name
Details

Home Assistant is open source home automation software that puts local control and privacy first. Starting in version 2020.02 and prior to version 2026.01, an authenticated party can add a malicious name to their device entity, allowing for Cross-Site Scripting attacks against anyone who can see a dashboard with a Map-card which includes that entity. It requires that the victim hovers over an information point. Version 2026.01 fixes the issue.

Database specific
{
    "cwe_ids": [
        "CWE-79"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33044.json",
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "introduced": "2020.02"
                },
                {
                    "fixed": "2026.01"
                }
            ],
            "source": "AFFECTED_FIELD"
        }
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/home-assistant/core

Affected ranges

Type
GIT
Repo
https://github.com/home-assistant/core
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "cpe": "cpe:2.3:a:home-assistant:home-assistant:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "2020.02"
        },
        {
            "fixed": "2026.1.0"
        }
    ],
    "source": "CPE_RANGE"
}

Affected versions

0.*
0.103.0
0.103.0b0
0.103.0b1
0.103.1
0.103.2
0.103.3
0.103.4
0.103.5
0.103.6
0.104.0
0.104.1
0.104.2
0.104.3
0.105.0
0.105.1
0.105.2
0.105.3
0.105.4
0.105.5
0.106.0
0.106.1
0.106.2
0.106.3
0.106.4
0.106.5
0.106.6
0.107.0
0.107.1
0.107.2
0.107.3
0.107.4
0.107.5
0.107.6
0.107.7
0.108.0
0.108.1
0.108.2
0.108.3
0.108.4
0.108.5
0.108.6
0.108.7
0.108.8
0.108.9
0.109.0
0.109.1
0.109.2
0.109.3
0.109.4
0.109.5
0.109.6
0.110.0
0.110.1
0.110.2
0.110.3
0.110.4
0.110.5
0.110.6
0.110.7
0.111.0
0.111.1
0.111.2
0.111.3
0.111.4
0.112.0
0.112.1
0.112.2
0.112.3
0.112.4
0.112.5
0.113.0
0.113.1
0.113.2
0.113.3
0.114.0
0.114.1
0.114.2
0.114.3
0.114.4
0.115.0
0.115.1
0.115.2
0.115.3
0.115.4
0.115.5
0.115.6
0.116.0
0.116.1
0.116.2
0.116.3
0.116.4
0.117.0
0.117.1
0.117.2
0.117.3
0.117.4
0.117.5
0.117.6
0.118.0
0.118.1
0.118.2
0.118.3
0.118.4
0.118.5
0.28
0.7.6
0.81.1
2020.*
2020.12.0
2020.12.1
2020.12.2
2021.*
2021.1.0
2021.1.1
2021.1.2
2021.1.3
2021.1.4
2021.1.5
2021.10.0
2021.10.1
2021.10.2
2021.10.3
2021.10.4
2021.10.5
2021.10.6
2021.10.7
2021.11.0
2021.11.1
2021.11.2
2021.11.3
2021.11.4
2021.11.5
2021.12.0
2021.12.1
2021.12.10
2021.12.2
2021.12.3
2021.12.4
2021.12.5
2021.12.6
2021.12.7
2021.12.8
2021.12.9
2021.2.0
2021.2.1
2021.2.2
2021.2.3
2021.3.0
2021.3.1
2021.3.2
2021.3.3
2021.3.4
2021.4.0
2021.4.1
2021.4.2
2021.4.3
2021.4.4
2021.4.5
2021.4.6
2021.5.0
2021.5.1
2021.5.2
2021.5.3
2021.5.4
2021.5.5
2021.6.0
2021.6.1
2021.6.2
2021.6.3
2021.6.4
2021.6.5
2021.6.6
2021.7.0
2021.7.1
2021.7.2
2021.7.3
2021.7.4
2021.8.0
2021.8.1
2021.8.2
2021.8.3
2021.8.4
2021.8.5
2021.8.6
2021.8.7
2021.8.8
2021.9.0
2021.9.1
2021.9.2
2021.9.3
2021.9.4
2021.9.5
2021.9.6
2021.9.7
2022.*
2022.10.0
2022.10.1
2022.10.2
2022.10.3
2022.10.4
2022.10.5
2022.11.0
2022.11.1
2022.11.2
2022.11.3
2022.11.4
2022.11.5
2022.12.0
2022.12.1
2022.12.2
2022.12.3
2022.12.4
2022.12.5
2022.12.6
2022.12.7
2022.12.8
2022.12.9
2022.2.0
2022.2.1
2022.2.2
2022.2.3
2022.2.4
2022.2.5
2022.2.6
2022.2.7
2022.2.8
2022.2.9
2022.3.0
2022.3.1
2022.3.2
2022.3.3
2022.3.4
2022.3.5
2022.3.6
2022.3.7
2022.3.8
2022.4.0
2022.4.1
2022.4.2
2022.4.3
2022.4.4
2022.4.5
2022.4.6
2022.4.7
2022.5.0
2022.5.1
2022.5.2
2022.5.3
2022.5.4
2022.5.5
2022.6.0
2022.6.1
2022.6.2
2022.6.3
2022.6.4
2022.6.5
2022.6.6
2022.6.7
2022.7.0
2022.7.1
2022.7.2
2022.7.3
2022.7.4
2022.7.5
2022.7.6
2022.7.7
2022.8.0
2022.8.1
2022.8.2
2022.8.3
2022.8.4
2022.8.5
2022.8.6
2022.8.7
2022.9.0
2022.9.1
2022.9.2
2022.9.3
2022.9.4
2022.9.5
2022.9.6
2022.9.7
2023.*
2023.1.0
2023.1.1
2023.1.2
2023.1.3
2023.1.4
2023.1.5
2023.1.6
2023.1.7
2023.10.0
2023.10.1
2023.10.2
2023.10.3
2023.10.4
2023.10.5
2023.11.0
2023.11.1
2023.11.2
2023.11.3
2023.12.0
2023.12.1
2023.12.2
2023.12.3
2023.12.4
2023.2.0
2023.2.1
2023.2.2
2023.2.3
2023.2.4
2023.2.5
2023.3.0
2023.3.1
2023.3.2
2023.3.3
2023.3.4
2023.3.5
2023.3.6
2023.4.0
2023.4.1
2023.4.2
2023.4.3
2023.4.4
2023.4.5
2023.4.6
2023.5.0
2023.5.1
2023.5.2
2023.5.3
2023.5.4
2023.6.0
2023.6.1
2023.6.2
2023.6.3
2023.7.0
2023.7.1
2023.7.2
2023.7.3
2023.8.0
2023.8.1
2023.8.2
2023.8.3
2023.8.4
2023.9.0
2023.9.1
2023.9.2
2023.9.3
2024.*
2024.1.0
2024.1.1
2024.1.2
2024.1.3
2024.1.4
2024.1.5
2024.1.6
2024.10.0
2024.10.1
2024.10.2
2024.10.3
2024.11.0
2024.11.1
2024.11.2
2024.11.3
2024.12.0
2024.12.1
2024.12.2
2024.12.3
2024.12.4
2024.12.5
2024.2.0
2024.2.1
2024.2.2
2024.2.3
2024.2.4
2024.2.5
2024.3.0
2024.3.1
2024.3.2
2024.3.3
2024.4.0
2024.4.1
2024.4.2
2024.4.3
2024.4.4
2024.5.0
2024.5.1
2024.5.2
2024.5.3
2024.5.4
2024.5.5
2024.6.0
2024.6.1
2024.6.2
2024.6.3
2024.6.4
2024.7.0
2024.7.1
2024.7.2
2024.7.3
2024.7.4
2024.8.0
2024.8.1
2024.8.2
2024.8.3
2024.9.0
2024.9.1
2024.9.2
2024.9.3
2025.*
2025.1.0
2025.1.1
2025.1.2
2025.1.3
2025.1.4
2025.10.0
2025.10.1
2025.10.2
2025.10.3
2025.10.4
2025.11.0
2025.11.1
2025.11.2
2025.11.3
2025.12.0
2025.12.1
2025.12.2
2025.12.3
2025.12.4
2025.12.5
2025.2.0
2025.2.1
2025.2.2
2025.2.3
2025.2.4
2025.2.5
2025.3.0
2025.3.1
2025.3.2
2025.3.3
2025.3.4
2025.4.0
2025.4.1
2025.4.2
2025.4.3
2025.4.4
2025.5.0
2025.5.1
2025.5.2
2025.5.3
2025.6.0
2025.6.1
2025.6.2
2025.6.3
2025.7.0
2025.7.1
2025.7.2
2025.7.3
2025.7.4
2025.8.0
2025.8.1
2025.8.2
2025.8.3
2025.9.0
2025.9.1
2025.9.2
2025.9.3
2025.9.4
Other
Last-Python2-release

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33044.json"