Home Assistant CVE-2026-33044: Authenticated XSS Vulnerability in Map Card Device Names

A critical security flaw in the popular open-source home automation platform Home Assistant allows authenticated users to inject malicious scripts into the system. The vulnerability, tracked as CVE-2026-33044, enables cross-site scripting (XSS) attacks through a seemingly innocuous feature: the ability to name a device entity. An attacker with a valid account can assign a malicious name to their device, which then executes arbitrary JavaScript code when a victim views a dashboard containing a Map card that includes that entity. The attack triggers specifically when the victim hovers their cursor over an information point on the map.

The vulnerability resides in the core `homeassistant` package. A GitHub pull request from the automated dependency management tool RenovateBot highlights the severity, proposing an immediate update from version 2024.3.3 to 2026.1.0 to patch the issue. This jump across two major versions underscores the significant security patch contained in the newer release. The flaw is not a theoretical risk; it provides a direct vector for an authenticated party to compromise the session or data of other users viewing shared dashboards, a common scenario in multi-user Home Assistant installations.

The discovery places immediate pressure on administrators of Home Assistant instances, particularly those in shared environments like families, co-living spaces, or small businesses. It requires a proactive security response: updating the core software is the only mitigation. The presence of this CVE in automated tooling signals that the vulnerability is now publicly tracked and actively being addressed in the ecosystem, increasing the risk for unpatched systems. This incident highlights the ongoing security challenges in IoT and smart home platforms, where user-configurable fields can become unexpected attack surfaces.