Cross-Site Scripting

Home Assistant is vulnerable to Cross-Site Scripting. The vulnerability is due to an authenticated party adding a malicious name to their device entity, where the malicious name allows for Cross-Site Scripting attacks against anyone who can see a dashboard with a Map-card which includes that...

Home Assistant has stored XSS in Map-card through malicious device name

Summary An authenticated party can add a malicious name to their device entity, allowing for Cross-Site Scripting attacks against anyone who can see a dashboard with a Map-card which includes that entity. It requires that the victim hovers over an information point The lines or the dots...

EUVD-2026-16774

Home Assistant has stored XSS in Map-card through malicious device name...

GHSA-R584-6283-P7XC Home Assistant has stored XSS in Map-card through malicious device name

Summary An authenticated party can add a malicious name to their device entity, allowing for Cross-Site Scripting attacks against anyone who can see a dashboard with a Map-card which includes that entity. It requires that the victim hovers over an information point The lines or the dots...

CVE-2026-33044

Home Assistant is open source home automation software that puts local control and privacy first. Starting in version 2020.02 and prior to version 2026.01, an authenticated party can add a malicious name to their device entity, allowing for Cross-Site Scripting attacks against anyone who can see ...

CVE-2026-33044 Home Assistant has stored XSS in Map-card through malicious device name

Home Assistant is open source home automation software that puts local control and privacy first. Starting in version 2020.02 and prior to version 2026.01, an authenticated party can add a malicious name to their device entity, allowing for Cross-Site Scripting attacks against anyone who can see ...

CVE-2026-33044

Home Assistant is open source home automation software that puts local control and privacy first. Starting in version 2020.02 and prior to version 2026.01, an authenticated party can add a malicious name to their device entity, allowing for Cross-Site Scripting attacks against anyone who can see ...

CVE-2026-33044

CVE-2026-33044 affects Home Assistant. An authenticated party can set a malicious name on a device entity, enabling stored XSS in dashboards containing a Map-card when a user hovers an information point. Vulnerable since 2020.02 up to 2026.01; fixed in 2026.01. The issue impacts dashboards visibl...

PT-2023-5421 · Cacti +1 · Cacti +1

Name of the Vulnerable Software and Affected Versions: Cacti versions prior to 1.2.25 Description: The issue is related to a Stored Cross-Site-Scripting XSS vulnerability, which allows an authenticated user to poison data stored in the Cacti database. This data will be viewed by administrative...

PT-2023-4934 · Cacti +1 · Cacti +1

Name of the Vulnerable Software and Affected Versions: Cacti versions prior to 1.2.25 Description: The issue exists due to inadequate protection of the web page structure in the Cacti network monitoring tool. This allows a remote attacker to conduct cross-site scripting attacks. An authenticated...