CVE 9.6 CRITICAL

MeshCore Card: XSS vulnerability through meshcore node name_CVE-2026-45323

May 28, 2026 invoker category_cve

9.6 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Description

MeshCore Card provides MeshCore Lovelace card for Home Assistant. Prior to 0.3.3, Meshcore node names are rendered without HTML escaping in meshcore-card, allowing any node within direct or indirect (repeated) radio range to execute arbitrary javascript in the Home Assistant frontend of anyone viewing the card. This vulnerability is fixed in 0.3.3.

AI Analysis

XSS vulnerability in meshcore-card through meshcore node name

Basic Information

ID CVE-2026-45323

Source GitHub_M

Published May 28, 2026 at 16:54

Affected Product

Vendor jpettitt

Product meshcore-card

Version < 0.3.3

Affected Versions jpettitt meshcore-card < 0.3.3

CWE Classification

CWE-79

AI Assessment

AI Score 9.6 / 10

AI Severity Critical

Vendor jpettitt

Product meshcore-card

Version < 0.3.3

References

github.com /jpettitt/meshcore-card/security/advisories/GHSA-5vrg-xpcj-xppc

{
    "lastseen": "",
    "description": "MeshCore Card provides MeshCore Lovelace card for Home Assistant. Prior to 0.3.3, Meshcore node names are rendered without HTML escaping in meshcore-card, allowing any node within direct or indirect (repeated) radio range to execute arbitrary javascript in the Home Assistant frontend of anyone viewing the card. This vulnerability is fixed in 0.3.3.",
    "published": "2026-05-28T16:54:32.847Z",
    "modified": "2026-05-28T16:54:32.847Z",
    "type": "cve",
    "title": "MeshCore Card: XSS vulnerability through meshcore node name",
    "source": "GitHub_M",
    "references": "https://github.com/jpettitt/meshcore-card/security/advisories/GHSA-5vrg-xpcj-xppc",
    "id": "CVE-2026-45323",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "jpettitt meshcore-card < 0.3.3",
    "sourceHref": "",
    "cvss": {
        "score": 9.6,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "meshcore-card",
    "version": "< 0.3.3",
    "vendor": "jpettitt",
    "ai_description": "XSS vulnerability in meshcore-card through meshcore node name",
    "ai_severity": "Critical",
    "ai_vendor": "jpettitt",
    "ai_product": "meshcore-card",
    "ai_version": "< 0.3.3",
    "ai_score": 9.6
}

💭 Join the Security Discussion ❌ Cancel Reply