CVE-2026-33045: CVE-2026-33045: Stored Cross-Site Scripting in Home Assistant History-Graph Card

CVE-2026-33045: Stored Cross-Site Scripting in Home Assistant History-Graph Card Vulnerability ID: CVE-2026-33045 CVSS Score: 7.3 Published: 2026-03-27 A Stored Cross-Site Scripting (XSS) vulnerability exists in the Home Assistant frontend, specifically within the History-graph card component. The flaw allows authenticated users with low privileges or malicious third-party integrations to inject arbitrary JavaScript via unescaped entity names. This script executes when a victim hovers over the associated graph, potentially leading to full account takeover. TL;DR Stored XSS in Home Assistant's History-graph card allows attackers to execute arbitrary JavaScript via manipulated sensor names, leading to session hijacking. ⚠️ Exploit Status: POC Technical Details CWE ID: CWE-79 Attack Vector: Network CVSS v4.0 Score: 7.3 (High) EPSS Score: 0.00047 (14.49%) Impact: Confidentiality, Integrity, Availability (High) Exploit Status: Proof-of-Concept Available CISA KEV Status: Not Listed Affected