CVE-2026-45323
Last modified
CVE-2026-45323 is a critical-severity vulnerability rated 9.6/10 on the CVSS scale. MeshCore Card provides MeshCore Lovelace card for Home Assistant. Prior to 0.3.3, Meshcore node names are rendered without HTML escaping in meshcore-card, allowing any node within direct or indirect (repeated) radio range to execute arbitrary javascript in the Home Assistant frontend of anyone viewing the card. EPSS estimates a 0.32% chance of exploitation in the next 30 days.
Description
MeshCore Card provides MeshCore Lovelace card for Home Assistant. Prior to 0.3.3, Meshcore node names are rendered without HTML escaping in meshcore-card, allowing any node within direct or indirect (repeated) radio range to execute arbitrary javascript in the Home Assistant frontend of anyone viewing the card. This vulnerability is fixed in 0.3.3.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Jpettitt | Meshcore Card | < 0.3.3 |
References
- https://github.com/jpettitt/meshcore-card/security/advisories/GHSA-5vrg-xpcj-xppcExploit, Mitigation, Vendor Advisory
- https://github.com/jpettitt/meshcore-card/security/advisories/GHSA-5vrg-xpcj-xppcExploit, Mitigation, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-45323?
How severe is CVE-2026-45323?
How do I fix CVE-2026-45323?
Are you affected by CVE-2026-45323?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST