CVE-2026-33044: CVE-2026-33044: Stored Cross-Site Scripting in Home Assistant Map-Card

CVE-2026-33044: Stored Cross-Site Scripting in Home Assistant Map-Card Vulnerability ID: CVE-2026-33044 CVSS Score: 7.3 Published: 2026-03-27 Home Assistant versions prior to 2026.01 are vulnerable to a stored Cross-Site Scripting (XSS) flaw in the Map-card component. An authenticated attacker can inject malicious JavaScript into an entity name, which executes when a victim hovers over historical movement data points in the dashboard. TL;DR A stored XSS vulnerability in the Home Assistant Map-card allows authenticated attackers to execute arbitrary JavaScript in a victim's browser context by injecting HTML payloads into device entity names. ⚠️ Exploit Status: POC Technical Details CVE ID : CVE-2026-33044 CWE ID : CWE-79 Attack Vector : Network CVSS 4.0 Score : 7.3 Impact : Account Takeover / Session Hijacking Exploit Status : PoC Available CISA KEV Status : Not Listed Affected Systems Home Assistant Core Home Assistant Frontend homeassistant : >= 2020.02, < 2026.01 (Fixed in: 2026.01 )