CVE-2026-33044
published 2026-03-27CVE-2026-33044: Home Assistant is open source home automation software that puts local control and privacy first. Starting in version 2020.02 and prior to version 2026.01, an…
PriorityP426medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.24%
15.2th percentile
Home Assistant is open source home automation software that puts local control and privacy first. Starting in version 2020.02 and prior to version 2026.01, an authenticated party can add a malicious name to their device entity, allowing for Cross-Site Scripting attacks against anyone who can see a dashboard with a Map-card which includes that entity. It requires that the victim hovers over an information point. Version 2026.01 fixes the issue.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| home-assistant | core | — | — |
| home-assistant | home-assistant | >= 2020.02 < 2026.1.0 | 2026.1.0 |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv4.07.3HIGHCVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
ghsa8.5HIGH
osv8.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Home Assistant has stored XSS in Map-card through malicious device name
ghsa·2026-03-27·CVSS 8.5
CVE-2026-33044 [HIGH] CWE-79 Home Assistant has stored XSS in Map-card through malicious device name
Home Assistant has stored XSS in Map-card through malicious device name
### Summary
An authenticated party can add a malicious name to their device entity, allowing for Cross-Site Scripting attacks against anyone who can see a dashboard with a Map-card which includes that entity. It requires that the victim hovers over an information point (The lines or the dots representing that device's movement, as shown in the screenshot below, with the example showing a html-injection using `` to strikethrough the text)
This allows an authenticated user to execute JavaScript in the context of any other users accessing a dashboard.
### Details
The vulnerability exists in the map-card by adding a malicious entity and having the property `hours_to_show` set.
See example below, with the malicious ent
OSV
Home Assistant has stored XSS in Map-card through malicious device name
osv·2026-03-27·CVSS 8.5
CVE-2026-33044 [HIGH] Home Assistant has stored XSS in Map-card through malicious device name
Home Assistant has stored XSS in Map-card through malicious device name
### Summary
An authenticated party can add a malicious name to their device entity, allowing for Cross-Site Scripting attacks against anyone who can see a dashboard with a Map-card which includes that entity. It requires that the victim hovers over an information point (The lines or the dots representing that device's movement, as shown in the screenshot below, with the example showing a html-injection using `` to strikethrough the text)
This allows an authenticated user to execute JavaScript in the context of any other users accessing a dashboard.
### Details
The vulnerability exists in the map-card by adding a malicious entity and having the property `hours_to_show` set.
See example below, with the malicious ent
Suricata
ET EXPLOIT Dahua Loopback Authentication Bypass Attempt M2 (http) (CVE-2021-33044)
suricata·2026-03-20·CVSS 9.8
CVE-2021-33044 [CRITICAL] ET EXPLOIT Dahua Loopback Authentication Bypass Attempt M2 (http) (CVE-2021-33044)
ET EXPLOIT Dahua Loopback Authentication Bypass Attempt M2 (http) (CVE-2021-33044)
Rule: alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Dahua Loopback Authentication Bypass Attempt M2 (http) (CVE-2021-33044)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:11; content:"/RPC2_Login"; fast_pattern; http.request_body; content:"|22|ipAddr|22 3a|"; content:"|22|127.0.0.1|22|"; within:15; content:"|22|loginType|22 3a|"; content:"|22|Loopback|22|"; within:15; content:"|22|clientType|22 3a|"; content:"|22|Local|22|"; within:15; reference:url,packetstorm.news/files/id/164423; reference:cve,2021-33044; classtype:attempted-admin; sid:2068366; rev:1; metadata:affected_product Dahua, attack_target Networking_Equipment, tls_state plaintext, created_at 2026_03_20, cve CVE
Suricata
ET EXPLOIT Dahua Loopback Authentication Bypass Attempt M1 (DHIP) (CVE-2021-33045)
suricata·2026-03-20·CVSS 9.8
CVE-2021-33044 [CRITICAL] ET EXPLOIT Dahua Loopback Authentication Bypass Attempt M1 (DHIP) (CVE-2021-33045)
ET EXPLOIT Dahua Loopback Authentication Bypass Attempt M1 (DHIP) (CVE-2021-33045)
Rule: alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Dahua Loopback Authentication Bypass Attempt M1 (DHIP) (CVE-2021-33045)"; flow:established,to_server; content:"|20 00 00 00|DHIP"; startswith; fast_pattern; content:"|22|ipAddr|22 3a|"; content:"|22|127.0.0.1|22|"; within:15; content:"|22|loginType|22 3a|"; content:"|22|Loopback|22|"; within:15; content:"|22|clientType|22 3a|"; content:"|22|Local|22|"; within:15; reference:url,packetstorm.news/files/id/164423; reference:cve,2021-33044; reference:cve,2021-33045; classtype:attempted-admin; sid:2068365; rev:1; metadata:affected_product Dahua, attack_target Networking_Equipment, tls_state plaintext, created_at 2026_03_20, cve CVE_2021_33045, deployment P
No public exploits indexed.
2026-03-27
Published