CVE-2026-33044: Home Assistant has stored XSS in Map-card through malicious device name

March 27, 2026

An authenticated party can add a malicious name to their device entity, allowing for Cross-Site Scripting attacks against anyone who can see a dashboard with a Map-card which includes that entity. It requires that the victim hovers over an information point (The lines or the dots representing that device’s movement, as shown in the screenshot below, with the example showing a html-injection using <s> to strikethrough the text)

This allows an authenticated user to execute JavaScript in the context of any other users accessing a dashboard.

References

github.com/advisories/GHSA-r584-6283-p7xc
github.com/home-assistant/core
github.com/home-assistant/core/security/advisories/GHSA-r584-6283-p7xc
nvd.nist.gov/vuln/detail/CVE-2026-33044

Code Behaviors & Features

Detect and mitigate CVE-2026-33044 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →