CVE-2026-45323 jpettitt CVE debrief

Who should care

Home Assistant users with MeshCore Card installed; operators of MeshCore mesh networks; IoT security teams managing decentralized radio networks; smart home administrators using community Lovelace cards

Technical summary

MeshCore Card versions prior to 0.3.3 fail to HTML-escape node names when rendering the Lovelace card interface. This allows stored XSS where malicious JavaScript embedded in a mesh node name executes in the Home Assistant frontend context of any user viewing the card. The attack requires no authentication and can be initiated by any node within radio range (including via multi-hop/repeated connections), making physical proximity or mesh network access the primary attack prerequisites. The vulnerability enables full frontend compromise including unauthorized API access, automation manipulation, and credential theft from the Home Assistant session.

Defensive priority

critical

Recommended defensive actions

• Upgrade MeshCore Card to version 0.3.3 or later immediately
• Review Home Assistant frontend logs for suspicious JavaScript execution or unauthorized API calls
• Audit mesh network nodes for unexpected or malicious node names
• Implement Content Security Policy (CSP) headers on Home Assistant instances where possible
• Consider network segmentation to limit mesh node exposure to untrusted devices
• Monitor for anomalous Home Assistant automation or entity state changes that may indicate compromise

Evidence notes

Vulnerability confirmed via GitHub Security Advisory GHSA-5vrg-xpcj-xppc. CWE-79 (Improper Neutralization of Input During Web Page Generation) classified as primary weakness. CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H.

Official resources