Executive Summary

CVE-2026-45323 is a critical cross-site scripting (XSS) vulnerability in the meshcore-card package used in Home Assistant. The issue occurs because meshcore node names are rendered without HTML escaping in the meshcore-card, allowing any node within direct or indirect radio range to execute arbitrary JavaScript in the Home Assistant frontend of anyone viewing the card.

The vulnerability arises from the adv_name attribute, which is the advertised name of any node heard on the mesh network, including untrusted nodes. This name is rendered as-is in the frontend without sanitization, enabling attackers to inject malicious scripts.

An attacker can set the adv_name attribute via the Home Assistant REST API to include an XSS payload, which executes when the dashboard is viewed. This attack requires no privileges and only that the victim views a dashboard containing a meshcore contact card.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows an attacker to execute arbitrary JavaScript in the Home Assistant frontend, potentially gaining full control over the Home Assistant instance if the user is an admin. This could lead to unauthorized access to sensitive personal or health-related data managed by Home Assistant.

Such unauthorized access and potential data compromise could violate common standards and regulations like GDPR and HIPAA, which require protection of personal and health information against unauthorized access and breaches.

However, the provided information does not explicitly discuss compliance impacts or specific regulatory consequences.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker within radio range of any node connected to the victim's mesh network to execute arbitrary JavaScript in the context of the Home Assistant frontend session.

If the victim user is an admin, the attacker can gain full control over the Home Assistant instance, potentially compromising the entire smart home environment.

The attack is zero-click, meaning it requires no interaction other than the victim viewing a dashboard containing the vulnerable meshcore contact card.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if your Home Assistant instance is running a version of the meshcore-card prior to 0.3.3, as those versions render meshcore node names without HTML escaping, allowing XSS attacks.

A practical detection method involves inspecting the adv_name attribute of meshcore nodes for suspicious or malicious HTML or JavaScript code, such as payloads like <img src=x onerror=alert(1)>.

Since the vulnerability is triggered when viewing the dashboard containing the meshcore contact card, monitoring network traffic or logs for unexpected JavaScript execution or unusual HTTP requests related to the meshcore integration may help.

No specific commands are provided in the resources, but you can use Home Assistant's REST API or developer tools to query the meshcore node states and inspect the adv_name fields for unsafe content.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade the meshcore-card to version 0.3.3 or later, where the vulnerability is fixed by properly escaping HTML in the adv_name and other externally sourced strings.

Until the upgrade can be applied, avoid viewing dashboards containing the meshcore contact card or any meshcore cards that render node names, especially if you are in an environment where untrusted nodes could be within radio range.

Additionally, consider restricting access to the Home Assistant frontend to trusted users only, and monitor for any suspicious activity that could indicate exploitation attempts.

Useful 0 Not Useful 0