Description
MeshCore Card provides MeshCore Lovelace card for Home Assistant. Prior to 0.3.3, Meshcore node names are rendered without HTML escaping in meshcore-card, allowing any node within direct or indirect (repeated) radio range to execute arbitrary javascript in the Home Assistant frontend of anyone viewing the card. This vulnerability is fixed in 0.3.3.
Published: 2026-05-28
Score: 9.6 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Prior to version 0.3.3, MeshCore Card does not escape node names when rendering the Lovelace card. This omission allows injected HTML or JavaScript to run in the Home Assistant frontend of anyone who views the card. An attacker controlling a MeshCore node that is either directly or indirectly within radio range can place a malicious node name that executes arbitrary client‑side code, enabling session hijacking, data theft, or further client‑side attacks within the user’s Home Assistant interface.

Affected Systems

This vulnerability affects the MeshCore Card component from the vendor jpettitt under the product name meshcore‑card. All releases before 0.3.3 are impacted; the fix is available starting with version 0.3.3.

Risk and Exploitability

The flaw carries a CVSS score of 9.6, indicating high severity. While the EPSS score is not available, the nature of the defect—client‑side script injection—means that compromised nodes can affect every user who can view the card. The threat originates from a local wireless network but can reach any Home Assistant user, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, the potential impact and ease of exploitation make remediation urgent.

Generated by OpenCVE AI on May 28, 2026 at 19:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MeshCore Card to version 0.3.3 or later
  • If an upgrade cannot be performed immediately, remove or disable the MeshCore Card Lovelace view until a patch is applied
  • Access Home Assistant over HTTPS to mitigate potential side‑channel attacks
  • Monitor the mesh network for unauthorized nodes and remove any suspicious nodes from the radio range

Generated by OpenCVE AI on May 28, 2026 at 19:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 18:00:00 +0000

Type Values Removed Values Added
Description MeshCore Card provides MeshCore Lovelace card for Home Assistant. Prior to 0.3.3, Meshcore node names are rendered without HTML escaping in meshcore-card, allowing any node within direct or indirect (repeated) radio range to execute arbitrary javascript in the Home Assistant frontend of anyone viewing the card. This vulnerability is fixed in 0.3.3.
Title MeshCore Card: XSS vulnerability through meshcore node name
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-28T16:54:32.847Z

Reserved: 2026-05-11T20:50:30.539Z

Link: CVE-2026-45323

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-28T18:16:35.300

Modified: 2026-05-28T18:16:35.300

Link: CVE-2026-45323

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T19:30:16Z

Weaknesses