Details of VAR-202603-5372

ID

VAR-202603-5372

CVE

CVE-2026-33044

TITLE

Home Assistant Cross-site scripting vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2026-009617

DESCRIPTION

Home Assistant is open source home automation software that puts local control and privacy first. Starting in version 2020.02 and prior to version 2026.01, an authenticated party can add a malicious name to their device entity, allowing for Cross-Site Scripting attacks against anyone who can see a dashboard with a Map-card which includes that entity. It requires that the victim hovers over an information point. Version 2026.01 fixes the issue. 2026.01 This issue has been fixed.Some of the information handled by the software may be leaked to the outside. Also, some of the information handled by the software may be rewritten. Furthermore, the software will not stop. Furthermore, attacks exploiting this vulnerability may affect other software

Trust: 1.62

sources: NVD: CVE-2026-33044 // JVNDB: JVNDB-2026-009617

AFFECTED PRODUCTS

vendor:	home assistant	model:	home-assistant	scope:	lt	version:	2026.1.0	Trust: 1.0
vendor:	home assistant	model:	home-assistant	scope:	gte	version:	2020.02	Trust: 1.0
vendor:	home assistant	model:	home assistant	scope:	eq	version:	2020.02 that's all 2026.1.0	Trust: 0.8
vendor:	home assistant	model:	home assistant	scope:	eq	version:	-	Trust: 0.8
vendor:	home assistant	model:	home assistant	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2026-009617 // NVD: CVE-2026-33044

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2026-33044
value:	MEDIUM
Trust: 1.0
security-advisories@github.com:	CVE-2026-33044
value:	HIGH
Trust: 1.0
NVD:	CVE-2026-33044
value:	MEDIUM
Trust: 0.8

nvd@nist.gov:	CVE-2026-33044
baseSeverity:	MEDIUM
baseScore:	5.4
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.3
impactScore:	2.7
version:	3.1
Trust: 1.0
NVD:	CVE-2026-33044
baseSeverity:	MEDIUM
baseScore:	5.4
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2026-009617 // NVD: CVE-2026-33044 // NVD: CVE-2026-33044

PROBLEMTYPE DATA

problemtype:	CWE-79	Trust: 1.0
problemtype:	Cross-site scripting (CWE-79) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2026-009617 // NVD: CVE-2026-33044

PATCH

title:

Stored XSS in Map-card through malicious device name Advisory home-assistant/core GitHub

url:

https://github.com/home-assistant/core/security/advisories/GHSA-r584-6283-p7xc

Trust: 0.8

sources: JVNDB: JVNDB-2026-009617

EXTERNAL IDS

db:	NVD	id:	CVE-2026-33044	Trust: 2.6
db:	JVNDB	id:	JVNDB-2026-009617	Trust: 0.8

sources: JVNDB: JVNDB-2026-009617 // NVD: CVE-2026-33044

REFERENCES

url:	https://github.com/home-assistant/core/security/advisories/ghsa-r584-6283-p7xc	Trust: 1.0
url:	https://nvd.nist.gov/vuln/detail/cve-2026-33044	Trust: 0.8

sources: JVNDB: JVNDB-2026-009617 // NVD: CVE-2026-33044

SOURCES

db:	JVNDB	id:	JVNDB-2026-009617
db:	NVD	id:	CVE-2026-33044

LAST UPDATE DATE

2026-04-03T23:55:57.381000+00:00

SOURCES UPDATE DATE

db:	JVNDB	id:	JVNDB-2026-009617	date:	2026-04-02T01:39:00
db:	NVD	id:	CVE-2026-33044	date:	2026-03-31T15:42:30.977

SOURCES RELEASE DATE

db:	JVNDB	id:	JVNDB-2026-009617	date:	2026-04-02T00:00:00
db:	NVD	id:	CVE-2026-33044	date:	2026-03-27T20:16:30.980