CVE-2026-33045: CVE-2026-33045: Stored Cross-Site Scripting in Home Assistant History-Graph Card

CVE-2026-33045: Stored Cross-Site Scripting in Home Assistant History-Graph Card Vulnerability ID: CVE-2026-33045 CVSS Score: 7.3 Published: 2026-03-27 A Stored Cross-Site Scripting (XSS) vulnerability exists in the Home Assistant frontend, specifically within the History-graph card component. The flaw allows authenticated users with low privileges or malicious third-party integrations to inject arbitrary JavaScript via unescaped entity names. This script executes when a victim hovers over the associated graph, potentially leading to full account takeover. TL;DR Stored XSS in Home Assistant's History-graph card allows attackers to execute arbitrary JavaScript via manipulated sensor names, leading to session hijacking. ⚠️ Exploit Status: POC Technical Details CWE ID : CWE-79 Attack Vector : Network CVSS v4.0 Score : 7.3 (High) EPSS Score : 0.00047 (14.49%) Impact : Confidentiality, Integrity, Availability (High) Exploit Status : Proof-of-Concept Available CISA KEV Status : Not Listed Af