VYPR
Moderate severityNVD Advisory· Published Jun 3, 2026· Updated Jun 3, 2026

malla: Stored XSS via Meshtastic node names in multiple frontend pages

CVE-2026-43980

Description

Node names (long_name, short_name) received via MQTT are stored in SQLite without sanitization and rendered into the DOM without escaping. Any participant on a public Meshtastic MQTT broker can set a malicious node name that executes JavaScript in the browser of every Malla dashboard visitor.

Affected files:

  • src/malla/templates/traceroute_graph.html (line ~832)
  • src/malla/templates/map.html (lines ~945, 1078)
  • src/malla/templates/packet_detail.html (lines ~1402, 1452)
  • src/malla/static/js/relay_node_analysis.js (line ~124)

Steps to reproduce

  1. Publish a Meshtastic NODEINFO_APP packet to any public MQTT broker with long_name set to a HTML entity i.e ``
  2. Wait for malla-capture to store it
  3. Open the dashboard

Impact

Allows unauthenticated remote attackers to execute arbitrary JavaScript in the browser, such as:

  • Phishing overlays
  • Force redirect to malicious websites
  • Injection of arbitrary third-party scripts (no CSP restrictions)
  • Browser resource abuse
  • Persistent dashboard denial of service

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
mallaPyPI
<= 0.1.7

Affected products

2

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.