CVE-2026-45323
CRITICALMeshCore Card: XSS vulnerability through meshcore node name
Title source: cnaDescription
MeshCore Card provides MeshCore Lovelace card for Home Assistant. Prior to 0.3.3, Meshcore node names are rendered without HTML escaping in meshcore-card, allowing any node within direct or indirect (repeated) radio range to execute arbitrary javascript in the Home Assistant frontend of anyone viewing the card. This vulnerability is fixed in 0.3.3.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/jpettitt/meshcore-card/security/advisories/GHSA-5vrg-xpcj-xppc
Scores
CVSS v3
9.6
EPSS
0.0027
EPSS Percentile
17.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-79
Status
published
Products (2)
jpettitt/meshcore-card
< 0.3.3
jpettitt/meshcore_card
< 0.3.3
Published
May 28, 2026
Tracked Since
May 28, 2026