CRITICAL
jpettitt
CVE published 2026-05-28
CVE-2026-45323
A critical cross-site scripting (XSS) vulnerability in MeshCore Card, a Home Assistant Lovelace card for MeshCore mesh networking, allows arbitrary JavaScript execution in the Home Assistant frontend. The flaw stems from improper HTML escaping of node names rendered by the card. Any malicious node within direct or indirect (repeated) radio range can inject JavaScript payloads that execute in the context o [truncated]