CVE-2026-33044: Stored Cross-Site Scripting in Home Assistant Map-Card

Home Assistant utilizes a modular frontend architecture where users can construct customized dashboards using various card components. The Map-card component visualizes geographical data, allowing users to track the location of entities such as mobile devices or vehicles. When the hours_to_show attribute is configured, this card generates a historical movement trail consisting of discrete data points and connecting lines.

A trust boundary violation occurs within the rendering logic of this historical movement trail. The Home Assistant backend permits authenticated users with appropriate permissions to modify the friendly names of entities. These entity names are subsequently stored in the core state machine and broadcasted to connected frontend clients via the WebSocket API or standard HTTP endpoints.

The vulnerability, classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), manifests when the Map-card frontend processes these customized entity names. The frontend implementation fails to apply adequate HTML encoding or sanitization before interpolating the entity name into the Document Object Model (DOM) during tooltip generation. Consequently, any executable script embedded within the entity name will execute in the context of the user viewing the dashboard.

The underlying flaw resides in the event handling and UI rendering sequence of the Map-card's historical tracking feature. The mapping implementation relies on a third-party mapping library (typically Leaflet in the context of Home Assistant) to render map tiles and vector layers. The Home Assistant frontend acts as an orchestration layer, translating internal state data into map markers and interaction events.

When hours_to_show is active, the frontend retrieves historical location data arrays from the backend. For each coordinate in the dataset, the code creates an interactive marker on the map layer. An event listener is attached to these markers to handle mouseover or hover events. The callback function for this event constructs a tooltip or popup element designed to display contextual information, including the entity's current state and its configured friendly name.

The specific failure occurs during the construction of this popup element. Instead of utilizing safe DOM manipulation methods like textContent or employing a robust sanitization library before using innerHTML, the application directly concatenates the raw entity name string into the HTML template of the popup. When the browser parses this newly inserted HTML, it encounters the injected payload, constructs the corresponding DOM nodes, and evaluates any inline scripts or event handlers present in the malicious string.

The vulnerability pattern involves rendering unescaped user-controlled input within a dynamic UI component. Home Assistant's frontend heavily utilizes Web Components and the Lit library. While Lit inherently escapes text interpolated via standard bindings, vulnerabilities arise when developers intentionally bypass this mechanism to render dynamic HTML structures, often for custom formatting within tooltips.

The vulnerable execution flow resembles the following pattern where raw HTML is injected into a Leaflet popup. The attacker-controlled entity.name is passed directly into a string literal that is subsequently processed as HTML.

// Vulnerable Implementation Pattern
marker.on('mouseover', function (e) {
  const entityName = stateObj.attributes.friendly_name || stateObj.entity_id;
  // Flaw: entityName is not sanitized before DOM insertion
  const popupContent = `<div class="tooltip-header">${entityName}</div>`;
  marker.bindPopup(popupContent).openPopup();
});

The remediation strategy requires enforcing strict contextual output encoding. The patched versions address this by ensuring that the entity name is treated strictly as a text node or by passing it through an HTML encoding function prior to interpolation. This prevents the browser's HTML parser from interpreting structural characters like < and >.

// Patched Implementation Pattern
import { escapeHTML } from '../../utils/string';
 
marker.on('mouseover', function (e) {
  const entityName = stateObj.attributes.friendly_name || stateObj.entity_id;
  // Fix: The entityName is strictly encoded
  const safeEntityName = escapeHTML(entityName);
  const popupContent = `<div class="tooltip-header">${safeEntityName}</div>`;
  marker.bindPopup(popupContent).openPopup();
});

Exploitation of CVE-2026-33044 requires the attacker to fulfill specific prerequisites. First, the attacker must possess an authenticated session with sufficient privileges to modify entity attributes, specifically the friendly name of a location-aware device. Second, a target user must access a dashboard containing a Map-card explicitly configured with the hours_to_show property, and the modified entity must be included in the card's entities list.

The attack is initiated by injecting a Cross-Site Scripting payload into the entity's name. A standard payload leverages the <img> tag with an invalid source and an onerror event handler. The attacker sets the entity name to test <img src=x onerror=alert(document.domain) />. This can be achieved via the Home Assistant UI, API, or by manipulating the device integration providing the location data.

The execution phase is completely dependent on victim interaction. When the victim navigates to the compromised dashboard, the Map-card initializes and renders the historical movement trail. The payload remains dormant until the victim moves their cursor over one of the plotted data points. This hover action triggers the mouseover event, causing the vulnerable JavaScript to render the popup containing the unescaped payload, which the browser then executes immediately.

Successful exploitation of this vulnerability results in high-impact consequences within the context of the Home Assistant application. The injected JavaScript executes with the same privileges as the victim user. In modern single-page applications like Home Assistant, this provides the attacker with comprehensive access to the application's internal API state, DOM elements, and browser storage mechanisms.

The primary threat vector is session hijacking and account takeover. The malicious script can extract long-lived access tokens stored in the browser's localStorage or sessionStorage. With these tokens, the attacker can establish an independent, authenticated API connection to the Home Assistant instance, bypassing the need for further interaction. Alternatively, the script can issue API requests directly via the existing WebSocket connection to change administrative passwords, create new administrative users, or disable security integrations.

The CVSS 4.0 vector CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P accurately reflects this severity. While the exploit requires low privileges (PR:L) and specific user interaction (UI:A), the subsequent impact on confidentiality, integrity, and availability is high (VC:H/VI:H/VA:H). The vulnerability also affects subsequent systems (SC:H/SI:H/SA:H), as gaining administrative control over Home Assistant grants the attacker control over physical smart home devices, alarm systems, and potentially the underlying host operating system depending on the deployment architecture.

The primary and most effective remediation for CVE-2026-33044 is to upgrade the Home Assistant Core and Frontend components to version 2026.01 or later. This release introduces comprehensive output encoding within the Map-card component, ensuring that all entity names are properly sanitized before DOM insertion regardless of the trigger event. Administrators should apply this update immediately through their standard deployment mechanisms.

In environments where immediate patching is not feasible, administrators can implement temporary mitigations. The vulnerability requires the hours_to_show configuration parameter to be active on the Map-card. By auditing Lovelace dashboard configurations and removing this parameter, the historical tracking feature is disabled, which neutralizes the specific vulnerable code path associated with the hover tooltips. This constitutes a functional downgrade but eliminates the immediate attack surface.

Furthermore, administrators should conduct a retroactive audit of the system state. Security personnel should inspect the Home Assistant database and API for anomalous entity names containing HTML tags or suspicious JavaScript keywords. Restricting the ability of lower-privileged users to rename entities through Role-Based Access Control (RBAC) modifications will also reduce the likelihood of internal exploitation.