CVE-2026-45323

9.6 CRITICAL

MeshCore Card provides MeshCore Lovelace card for Home Assistant

Published: 2026-05-28 · Last updated: 2026-06-03

Severity and scoring

CVSS: 9.6 CRITICAL
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CWE: CWE-79

Affected products

Vendor	Product
jpettitt	meshcore_card

Description

MeshCore Card provides MeshCore Lovelace card for Home Assistant. Prior to 0.3.3, Meshcore node names are rendered without HTML escaping in meshcore-card, allowing any node within direct or indirect (repeated) radio range to execute arbitrary javascript in the Home Assistant frontend of anyone viewing the card. This vulnerability is fixed in 0.3.3.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-45323
[Vendor advisory]https://github.com/jpettitt/meshcore-card/security/advisories/GHSA-5vrg-xpcj-xppc
[Vendor advisory]https://github.com/jpettitt/meshcore-card/security/advisories/GHSA-5vrg-xpcj-xppc

Related CVEs

Same CWE

CVE-2026-2827 — The Open User Map PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'oum_location_notification' parameter in ... (4.7 MEDIUM)
CVE-2026-42558 — Xibo is an open source digital signage platform with a web content management system and Windows display player software (7.6 HIGH)
CVE-2026-53742 — Simple Link Directory through 9.0.4 echoes embed shortcode attributes into HTML data attributes without escaping in the embedder template (5.4 MEDIUM)
CVE-2026-53741 — Simple Link Directory through 9.0.4 interpolates the sld_no_results_found option into a JavaScript string literal without encoding (5.4 MEDIUM)
CVE-2026-53740 — Yoast Duplicate Post through 4.6 inserts an unescaped post title and permalink into the Classic Editor scheduled republish notice (5.4 MEDIUM)