Meshtastic
Products
2- 15 CVEs
- 13 CVEs
Recent CVEs
15| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-52883 | Med | 0.27 | 5.3 | 0.00 | Jun 24, 2025 | Meshtastic-Android is an Android application for the mesh radio software Meshtastic. Prior to version 2.5.21, an attacker is able to send an unencrypted direct message to a victim impersonating any other node of the mesh. This message will be displayed in the same chat that the… | ||
| CVE-2026-43980 | 0.00 | — | 0.00 | Jun 3, 2026 | Node names (long_name, short_name) received via MQTT are stored in SQLite without sanitization and rendered into the DOM without escaping. Any participant on a public Meshtastic MQTT broker can set a malicious node name that executes JavaScript in the browser of every Malla… | |||
| CVE-2025-55292 | 0.00 | — | 0.00 | Jan 27, 2026 | Meshtastic is an open source mesh networking solution. In the current Meshtastic architecture, a Node is identified by their NodeID, generated from the MAC address, rather than their public key. This aspect downgrades the security, specifically by abusing the HAM mode which… | |||
| CVE-2025-53627 | 0.00 | — | 0.00 | Dec 29, 2025 | Meshtastic is an open source mesh networking solution. The Meshtastic firmware (starting from version 2.5) introduces asymmetric encryption (PKI) for direct messages, but when the `pki_encrypted` flag is missing, the firmware silently falls back to legacy AES-256-CTR channel… | |||
| CVE-2025-55293 | 0.00 | — | 0.00 | Aug 18, 2025 | Meshtastic is an open source mesh networking solution. Prior to v2.6.3, an attacker can send NodeInfo with a empty publicKey first, then overwrite it with a new key. First sending a empty key bypasses 'if (p.public_key.size > 0) {', clearing the existing publicKey (and resetting… | |||
| CVE-2024-47065 | 0.00 | — | 0.00 | Jul 11, 2025 | Meshtastic is an open source mesh networking solution. Prior to 2.5.1, traceroute responses from the remote node are not rate limited. Given that there are SNR measurements attributed to each received transmission, this is a guaranteed way to get a remote station to reliably and… | |||
| CVE-2025-53637 | 0.00 | — | 0.00 | Jul 10, 2025 | Meshtastic is an open source mesh networking solution. The main_matrix.yml GitHub Action is triggered by the pull_request_target event, which has extensive permissions, and can be initiated by an attacker who forked the repository and created a pull request. In the shell code… | |||
| CVE-2025-24798 | 0.00 | — | 0.00 | Jul 10, 2025 | Meshtastic is an open source mesh networking solution. From 1.2.1 until 2.6.2, a packet sent to the routing module that contains want_response==true causes a crash. This can lead to a degradation of service for nodes within range of a malicious sender, or via MQTT if downlink is… | |||
| CVE-2025-52464 | 0.00 | — | 0.00 | Jun 19, 2025 | Meshtastic is an open source mesh networking solution. In versions from 2.5.0 to before 2.6.11, the flashing procedure of several hardware vendors was resulting in duplicated public/private keys. Additionally, the Meshtastic was failing to properly initialize the internal… | |||
| CVE-2025-24797 | 0.00 | — | 0.01 | Apr 14, 2025 | Meshtastic is an open source mesh networking solution. A fault in the handling of mesh packets containing invalid protobuf data can result in an attacker-controlled buffer overflow, allowing an attacker to hijack execution flow, potentially resulting in remote code execution.… | |||
| CVE-2025-21608 | 0.00 | — | 0.00 | Feb 18, 2025 | Meshtastic is an open source mesh networking solution. In affected firmware versions crafted packets over MQTT are able to appear as a DM in client to a node even though they were not decoded with PKC. This issue has been addressed in version 2.5.19 and all users are advised to… | |||
| CVE-2024-51500 | 0.00 | — | 0.00 | Nov 4, 2024 | Meshtastic firmware is a device firmware for the Meshtastic project. The Meshtastic firmware does not check for packets claiming to be from the special broadcast address (0xFFFFFFFF) which could result in unexpected behavior and potential for DDoS attacks on the network. A… | |||
| CVE-2024-47079 | 0.00 | — | 0.00 | Oct 7, 2024 | Meshtastic is an open source, off-grid, decentralized, mesh network built to run on affordable, low-power devices. Meshtastic firmware is an open source firmware implementation for the broader project. The remote hardware module of the firmware does not have proper checks to… | |||
| CVE-2024-47078 | 0.00 | — | 0.00 | Sep 25, 2024 | Meshtastic is an open source, off-grid, decentralized, mesh network. Meshtastic uses MQTT to communicate over an internet connection to a shared or private MQTT Server. Nodes can communicate directly via an internet connection or proxied through a connected phone (i.e., via… | |||
| CVE-2024-45038 | 0.00 | — | 0.01 | Aug 27, 2024 | Meshtastic device firmware is a firmware for meshtastic devices to run an open source, off-grid, decentralized, mesh network built to run on affordable, low-power devices. Meshtastic device firmware is subject to a denial of serivce vulnerability in MQTT handling, fixed in… |
- risk 0.27cvss 5.3epss 0.00
Meshtastic-Android is an Android application for the mesh radio software Meshtastic. Prior to version 2.5.21, an attacker is able to send an unencrypted direct message to a victim impersonating any other node of the mesh. This message will be displayed in the same chat that the…
- CVE-2026-43980Jun 3, 2026risk 0.00cvss —epss 0.00
Node names (long_name, short_name) received via MQTT are stored in SQLite without sanitization and rendered into the DOM without escaping. Any participant on a public Meshtastic MQTT broker can set a malicious node name that executes JavaScript in the browser of every Malla…
- CVE-2025-55292Jan 27, 2026risk 0.00cvss —epss 0.00
Meshtastic is an open source mesh networking solution. In the current Meshtastic architecture, a Node is identified by their NodeID, generated from the MAC address, rather than their public key. This aspect downgrades the security, specifically by abusing the HAM mode which…
- CVE-2025-53627Dec 29, 2025risk 0.00cvss —epss 0.00
Meshtastic is an open source mesh networking solution. The Meshtastic firmware (starting from version 2.5) introduces asymmetric encryption (PKI) for direct messages, but when the `pki_encrypted` flag is missing, the firmware silently falls back to legacy AES-256-CTR channel…
- CVE-2025-55293Aug 18, 2025risk 0.00cvss —epss 0.00
Meshtastic is an open source mesh networking solution. Prior to v2.6.3, an attacker can send NodeInfo with a empty publicKey first, then overwrite it with a new key. First sending a empty key bypasses 'if (p.public_key.size > 0) {', clearing the existing publicKey (and resetting…
- CVE-2024-47065Jul 11, 2025risk 0.00cvss —epss 0.00
Meshtastic is an open source mesh networking solution. Prior to 2.5.1, traceroute responses from the remote node are not rate limited. Given that there are SNR measurements attributed to each received transmission, this is a guaranteed way to get a remote station to reliably and…
- CVE-2025-53637Jul 10, 2025risk 0.00cvss —epss 0.00
Meshtastic is an open source mesh networking solution. The main_matrix.yml GitHub Action is triggered by the pull_request_target event, which has extensive permissions, and can be initiated by an attacker who forked the repository and created a pull request. In the shell code…
- CVE-2025-24798Jul 10, 2025risk 0.00cvss —epss 0.00
Meshtastic is an open source mesh networking solution. From 1.2.1 until 2.6.2, a packet sent to the routing module that contains want_response==true causes a crash. This can lead to a degradation of service for nodes within range of a malicious sender, or via MQTT if downlink is…
- CVE-2025-52464Jun 19, 2025risk 0.00cvss —epss 0.00
Meshtastic is an open source mesh networking solution. In versions from 2.5.0 to before 2.6.11, the flashing procedure of several hardware vendors was resulting in duplicated public/private keys. Additionally, the Meshtastic was failing to properly initialize the internal…
- CVE-2025-24797Apr 14, 2025risk 0.00cvss —epss 0.01
Meshtastic is an open source mesh networking solution. A fault in the handling of mesh packets containing invalid protobuf data can result in an attacker-controlled buffer overflow, allowing an attacker to hijack execution flow, potentially resulting in remote code execution.…
- CVE-2025-21608Feb 18, 2025risk 0.00cvss —epss 0.00
Meshtastic is an open source mesh networking solution. In affected firmware versions crafted packets over MQTT are able to appear as a DM in client to a node even though they were not decoded with PKC. This issue has been addressed in version 2.5.19 and all users are advised to…
- CVE-2024-51500Nov 4, 2024risk 0.00cvss —epss 0.00
Meshtastic firmware is a device firmware for the Meshtastic project. The Meshtastic firmware does not check for packets claiming to be from the special broadcast address (0xFFFFFFFF) which could result in unexpected behavior and potential for DDoS attacks on the network. A…
- CVE-2024-47079Oct 7, 2024risk 0.00cvss —epss 0.00
Meshtastic is an open source, off-grid, decentralized, mesh network built to run on affordable, low-power devices. Meshtastic firmware is an open source firmware implementation for the broader project. The remote hardware module of the firmware does not have proper checks to…
- CVE-2024-47078Sep 25, 2024risk 0.00cvss —epss 0.00
Meshtastic is an open source, off-grid, decentralized, mesh network. Meshtastic uses MQTT to communicate over an internet connection to a shared or private MQTT Server. Nodes can communicate directly via an internet connection or proxied through a connected phone (i.e., via…
- CVE-2024-45038Aug 27, 2024risk 0.00cvss —epss 0.01
Meshtastic device firmware is a firmware for meshtastic devices to run an open source, off-grid, decentralized, mesh network built to run on affordable, low-power devices. Meshtastic device firmware is subject to a denial of serivce vulnerability in MQTT handling, fixed in…