Home Assistant Cross-Site Scripting Vulnerability in Map Card

A cross-site scripting (XSS) vulnerability has been identified in Home Assistant versions 2020.02 prior to 2026.01. This issue allows an authenticated user to inject malicious JavaScript into a device entity's name. The injected script is executed when another user hovers over an information point on a Map card that includes the affected entity. The vulnerability requires the victim to interact with the Map card, specifically by hovering over the entity's movement trail.

Impact

Exploitation of this vulnerability allows for cross-site scripting attacks, where injected scripts are executed in the context of the user viewing the dashboard.

Reproduction

To reproduce this vulnerability, first register a new sensor or device that provides a location. Then, change the entity's name to include a malicious payload, such as an image tag with an 'onerror' event. After the entity is added to a Map card with the 'hours to show' attribute set, the payload will execute when hovering over the entity's movement trail.

Remediation

Users can update to Home Assistant version 2026.01 or later to address this vulnerability.