CVE-2026-45323
Description
MeshCore Card provides MeshCore Lovelace card for Home Assistant. Prior to 0.3.3, Meshcore node names are rendered without HTML escaping in meshcore-card, allowing any node within direct or indirect (repeated) radio range to execute arbitrary javascript in the Home Assistant frontend of anyone viewing the card. This vulnerability is fixed in 0.3.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
MeshCore Card prior to 0.3.3 has XSS via unescaped node names in Home Assistant frontend.
Vulnerability
The meshcore-card for Home Assistant prior to version 0.3.3 does not HTML-escape the adv_name attribute of meshcore nodes when rendering contact cards. This allows any node within radio range to inject arbitrary JavaScript into the Home Assistant frontend of anyone viewing the card. [1]
Exploitation
An attacker needs to be within direct or indirect radio range of the victim's meshcore network. By setting a node's advertised name (adv_name) to a malicious payload (e.g., ``), the JavaScript executes immediately when a user views a dashboard containing a meshcore contact card. The payload can be injected via the meshcore-ha integration's state updates. [1]
Impact
Successful exploitation allows arbitrary JavaScript execution in the Home Assistant frontend, potentially leading to session hijacking, data theft, or further compromise of the Home Assistant instance. The attacker gains code execution in the context of the victim's Home Assistant user. [1]
Mitigation
The vulnerability is fixed in version 0.3.3 of meshcore-card. Users should update to this or later version. No workarounds are provided in the advisory. [1]
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <0.3.3
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing HTML escaping of meshcore node names (adv_name) when rendering in the Home Assistant frontend card."
Attack vector
An attacker within LoRa radio range of any node connected to the victim's mesh network broadcasts a node name containing malicious JavaScript. The meshcore-ha integration stores this name directly into the HA entity's extra_state_attributes without any HTML escaping [ref_id=1]. When any Home Assistant user views a dashboard containing a meshcore contact card, the card renders the adv_name attribute as raw HTML, causing the injected script to execute in the context of the victim's HA frontend session. The attack is zero-click — simply viewing the dashboard triggers execution [ref_id=1].
Affected code
The contact card (contact-card.ts) constructs HTML from the meshcore HA state and renders it in the frontend without escaping — specifically, the adv_name attribute of any node heard on the mesh is rendered as raw HTML [ref_id=1]. The meshcore-ha integration stores adv_name directly into extra_state_attributes without calling html.escape, markupsafe, or bleach [ref_id=1].
What the fix does
The advisory recommends replacing raw HTML insertion of adv_name (and any other externally sourced strings) with a text node or using a template literal that escapes HTML entities — for example, replacing innerHTML usage with textContent, or applying a simple escape function before insertion [ref_id=1]. No patch diff is included in the bundle, but the advisory states the fix is released in version 0.3.3.
Preconditions
- networkAttacker must be within direct or repeated LoRa radio range of any node connected to the victim's mesh network.
- inputAttacker broadcasts a node name (adv_name) containing malicious JavaScript, fitting within the 32-byte limit of the Meshcore node name field.
- authNo authentication required — the mesh radio accepts and relays node names from any device in range.
Reproduction
Set the HA entity state via the REST API to simulate a malicious node name. Run the following in the browser console on the HA frontend (replace the entity ID as needed): const token = document.querySelector("home-assistant").hass.auth.data.access_token; fetch("/api/states/binary_sensor.meshcore_xss_contact", { method: "POST", headers: { "Authorization": "Bearer " + token, "Content-Type": "application/json" }, body: JSON.stringify({ state: "on", attributes: { adv_name: "<img src=x onerror=alert(1)>", node_type_str: "CLIENT", last_advert: Math.floor(Date.now() / 1000), icon: "mdi:account" } }) }).then(r => r.json()).then(console.log); Opening a dashboard with a meshcore contact card causes alert(1) to execute immediately [ref_id=1].
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.