How is CVE-2026-45323 exploited?

Network reachability (required): The attacker delivers the malicious node name over the network; the affected Home Assistant frontend must be reachable or the attacker's MeshCore node must be within direct or repeated radio range that eventually reaches the target's network. Authentication (not-required): No credentials are needed on the attacker's side; any MeshCore node within radio range can inject the malicious name without authenticating to the target system. Victim interaction (required): A victim must open or view the meshcore-card in their Home Assistant frontend for the injected script to execute, making this a social-engineering or passive-wait scenario. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory layout knowledge, or other environmental prerequisites beyond the victim viewing the card.

What is the impact of CVE-2026-45323?

Reads session tokens, authentication cookies, and any secrets visible in the Home Assistant frontend, potentially handing the attacker full account access. Executes arbitrary JavaScript in the victim's browser, allowing the attacker to make authenticated API calls to Home Assistant on the victim's behalf. Modifies the Home Assistant UI or injects persistent payloads that affect other users who view the same dashboard. Disrupts the victim's Home Assistant session or triggers actions against connected smart-home devices controlled through the frontend.

Back to search

CRITICALCVE-2026-45323Published 2026-05-28Modified 2026-05-29CNA GitHub_M

CVE-2026-45323: MeshCore Card: XSS vulnerability through meshcore node name

MeshCore Card provides MeshCore Lovelace card for Home Assistant. Prior to 0.3.3, Meshcore node names are rendered without HTML escaping in meshcore-card, allowing any node within direct or indirect (repeated) radio range to execute arbitrary javascript in the Home Assistant frontend of anyone viewing the card. This vulnerability is fixed in 0.3.3.

HarborGuard Analysis

HarborGuard analysis

Synopsis

This is a stored cross-site scripting (XSS) vulnerability in meshcore-card, the MeshCore Lovelace card for Home Assistant. It is reachable over the network and requires no authentication from the attacker; however, a victim must view the affected card in their Home Assistant frontend for the exploit to trigger. Successful exploitation gives the attacker full script execution in the victim's browser context, enabling data theft, account takeover, and arbitrary UI manipulation. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment a fix is published upstream.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that bundle meshcore-card. Any image carrying a version below 0.3.3 is flagged automatically.

Available

Triage

HarborGuard scores this finding at CVSS 9.6 (Critical) and weights it against each customer environment's compliance policy to determine urgency and routing. Triage results are delivered to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no upstream fix version has been published yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream release is confirmed. Customers with auto-remediation enabled will receive a rebuilt image, a regression-test run, and a PR opened against affected workloads without any manual intervention required.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker delivers the malicious node name over the network; the affected Home Assistant frontend must be reachable or the attacker's MeshCore node must be within direct or repeated radio range that eventually reaches the target's network.
AuthenticationNot required
No credentials are needed on the attacker's side; any MeshCore node within radio range can inject the malicious name without authenticating to the target system.
Victim interactionRequired
A victim must open or view the meshcore-card in their Home Assistant frontend for the injected script to execute, making this a social-engineering or passive-wait scenario.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory layout knowledge, or other environmental prerequisites beyond the victim viewing the card.

Blast Radius

Reads session tokens, authentication cookies, and any secrets visible in the Home Assistant frontend, potentially handing the attacker full account access.
Executes arbitrary JavaScript in the victim's browser, allowing the attacker to make authenticated API calls to Home Assistant on the victim's behalf.
Modifies the Home Assistant UI or injects persistent payloads that affect other users who view the same dashboard.
Disrupts the victim's Home Assistant session or triggers actions against connected smart-home devices controlled through the frontend.

How HarborGuard Handles This

Available on HarborGuard: this CVE is flagged at Critical severity and matched against every image in customer registries and CI pipelines that includes meshcore-card below version 0.3.3. Because no upstream fix exists yet, HarborGuard monitors the advisory on each ingest cycle and will trigger a patched-image rebuild automatically once version 0.3.3 or a confirmed fix release is published. For customers with auto-remediation enabled, that rebuild will be followed immediately by a regression-test run and a PR opened against affected workloads. In the interim, compensating controls worth considering include network-policy isolation of the Home Assistant frontend to limit which nodes can introduce MeshCore names into the UI, and feature-flag gating or removal of the meshcore-card component from dashboards until a patched version is available.

See how HarborGuard automates this

CVSS v3.1: 9.6
Severity: CRITICAL
Fixed in: —
Affected Products: 1

Affected packages

jpettitt / meshcore-card
< 0.3.3

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

References

https://github.com/jpettitt/meshcore-card/security/advisories/GHSA-5vrg-xpcj-xppc