CVE-2026-33045: Stored Cross-Site Scripting in Home Assistant History-Graph Card

Home Assistant is an open-source home automation platform that centralizes control of smart home devices. The frontend component provides a highly customizable dashboard, known as Lovelace, which utilizes various cards to display entity states and historical data. The History-graph card is one such component, designed to visualize sensor data over specified time periods using the Chart.js rendering library.\n\nCVE-2026-33045 identifies a Stored Cross-Site Scripting (XSS) vulnerability within this History-graph card. The flaw originates from the application's failure to adequately sanitize user-controlled input before rendering it within the Document Object Model (DOM). Specifically, the vulnerability affects the tooltip generation logic that executes when a user interacts with the rendered graph.\n\nAn attacker with low privileges can manipulate the friendly_name attribute of an integrated sensor to include malicious HTML and JavaScript. When a victim views a dashboard containing the compromised sensor and triggers the tooltip, the payload executes within the context of the victim's browser session. This execution bypasses standard access controls and enables the attacker to perform actions on behalf of the victim.

The vulnerability exists due to improper neutralization of input during web page generation, classified as CWE-79. Home Assistant relies on the underlying ha-chart-base component to handle the configuration and rendering of Chart.js elements. When creating interactive elements like tooltips, the charting library extracts metadata from the provided dataset to display contextual information to the user.\n\nIn this specific implementation, the card retrieves the seriesName parameter, which corresponds to the entity's friendly_name attribute in the Home Assistant configuration. The frontend application passes this raw string directly into the string literal used to construct the tooltip's HTML structure. The application lacks a dedicated sanitization routine to encode or strip HTML entities from this specific data path before DOM insertion.\n\nConsequently, any executable script tags or HTML event handlers embedded within the friendly_name attribute are interpreted as executable code by the browser. The browser parses the injected payload when the tooltip element is appended to the DOM or when its innerHTML property is updated. This behavior violates the principle of strict contextual output encoding required for dynamic web applications.

The vulnerability mechanism in CVE-2026-33045 closely mirrors a previously disclosed flaw, CVE-2025-62172, which affected the Home Assistant Energy Dashboard. Both vulnerabilities stem from the unsafe concatenation of string variables into DOM elements within the Lovelace frontend components. Analyzing the prior vulnerability provides direct insight into the code-level flaw present in the History-graph card.\n\nIn the vulnerable implementation, the frontend component generates the tooltip content by directly embedding the params.seriesName variable. The charting callback function constructs a string template that incorporates the unescaped entity name alongside the corresponding data value.\n\ntypescript\n// Vulnerable implementation pattern\ntooltipOptions.callbacks.label = function(context) {\n const params = getTooltipParams(context);\n // The params.seriesName is directly concatenated without sanitization\n return `${title}${params.marker} **_${params.seriesName}_**: ${value}`;\n};\n\n\nThe remediation requires the implementation of strict output encoding or the use of safe DOM manipulation methods. The patched version of the ha-chart-base component introduces an escaping function that neutralizes HTML control characters within the seriesName before string construction.\n\ntypescript\n// Patched implementation pattern\nimport { escapeHTML } from "../../utils/escape";\n\ntooltipOptions.callbacks.label = function(context) {\n const params = getTooltipParams(context);\n // The params.seriesName is safely escaped before rendering\n const safeSeriesName = escapeHTML(params.seriesName);\n return `${title}${params.marker} **_${safeSeriesName}_**: ${value}`;\n};\n

Exploitation of CVE-2026-33045 requires an attacker to inject a malicious payload into the friendly_name attribute of a sensor. This initial step demands low privileges, such as an authenticated account with the "Member" role or control over a third-party integration that syncs entity names. For example, an attacker can manipulate the "remaining charge time" sensor data transmitted by an Android Auto integration.\n\nThe attacker modifies the sensor name to include standard XSS vectors, utilizing elements like <img> or <svg> tags with onerror or onload event handlers. A typical proof-of-concept payload involves renaming the entity to a string such as Test Sensor <img src=x onerror=alert(document.domain) />. Once the entity name is updated, the payload is stored persistently within the Home Assistant database.\n\nExecution relies on user interaction within the Lovelace dashboard. An administrator or another privileged user must load a dashboard configured with the History-graph card tracking the compromised sensor. The payload remains dormant until the victim moves their cursor over the specific data series on the graph. This action triggers the Chart.js tooltip rendering function, which injects the malicious string into the DOM and executes the embedded JavaScript.\n\nmermaid\ngraph LR\n A["Attacker"] -->|Renames Sensor| B["Home Assistant DB"]\n B -->|Stores Payload| C["History-graph Card"]\n D["Admin User"] -->|Views Dashboard| C\n D -->|Hovers over Graph| E["Tooltip Generation"]\n E -->|DOM Injection| F["JavaScript Execution"]\n

The successful exploitation of this vulnerability yields substantial security consequences for the targeted Home Assistant instance. The injected JavaScript executes within the security context of the victim's authenticated browser session. This execution environment grants the attacker access to the victim's session tokens, local storage data, and authorized API endpoints.\n\nIf the victim holds administrative privileges, the impact escalates to full system compromise. The malicious script can silently issue asynchronous HTTP requests to the Home Assistant REST API or WebSocket interface. Through these interfaces, the script can generate long-lived access tokens, modify system configurations, or create new administrative user accounts under the attacker's control.\n\nThe CVSS v4.0 base score of 7.3 accurately reflects this severity, highlighting the high impact on confidentiality, integrity, and availability. While the attack requires low privileges and user interaction, the widespread use of dashboards in home automation systems increases the likelihood of payload execution. The ability to pivot from a low-privileged sensor integration to administrative control makes this a critical path for privilege escalation.

System administrators must upgrade Home Assistant Core and Frontend components to version 2026.01 or later to fully mitigate CVE-2026-33045. This release includes the necessary output encoding modifications within the Lovelace charting modules. The patched version ensures that all entity names are properly sanitized before being passed to the Chart.js rendering engine.\n\nOrganizations unable to immediately apply the patch should implement interim mitigation strategies. Administrators should conduct a manual audit of all sensor and entity names, specifically looking for HTML tags or suspicious character sequences. Entities originating from untrusted third-party integrations or cloud services require particular scrutiny, as they represent the primary vectors for external payload injection.\n\nImplementing a strict Content Security Policy (CSP) provides an additional layer of defense against XSS exploitation. A robust CSP restricts the execution of inline scripts and limits the domains to which the browser can send data. While Home Assistant requires certain script execution capabilities to function, hardening the CSP headers reduces the operational viability of exfiltration and API abuse payloads.