External risk intelligence

MeshCore Card Allows Arbitrary JavaScript Execution in Home Assistant.

CVE advisorySeverity: CRITICAL (CVSS 9.6)

CVE-2026-45323

The MeshCore Lovelace card for Home Assistant is affected by a vulnerability that allows for arbitrary JavaScript execution. This could impact internal systems by enabling unauthorized actions or data exposure within the Home Assistant frontend. The realistic business risk involves potential compromise of sensitive dat

1Halo Surface Signal

Cross-site Scripting

Jpettitt Meshcore Card

before 0.3.3

External exposure likelihood

Halo Surface Signal score for CVE-2026-45323

The vulnerability exists in a plugin for Home Assistant, a home automation platform typically deployed within private, local networks. Access to the vulnerable card requires being on the internal network where the home automation instance resides, making public internet exposure of this specific component extremely unlikely in standard deployments.

PCI scan relevance

PCI Relevance for CVE-2026-45323

Yes

CVE-2026-45323 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

A cross-site scripting vulnerability in Home Assistant's MeshCore Card allows attackers to inject arbitrary JavaScript. This could lead to the compromise of sensitive data or system functions, making it a PCI compliance concern.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability affects the MeshCore Lovelace card for Home Assistant. The flaw allows an attacker to execute arbitrary JavaScript within the Home Assistant frontend. This could lead to unauthorized actions or data exposure within the affected organization's internal systems.

Vulnerable Home Assistant card
Node names lack HTML escaping
Potential for unauthorized actions

Attack Path

How an attacker could exploit the issue

A network-based attack can occur when a specially crafted node name is rendered without proper HTML escaping. An attacker could leverage this to execute arbitrary JavaScript within the affected application. This could lead to unauthorized actions or data compromise within the Home Assistant environment.

Exposure condition: Node names are not properly escaped.
Attacker starting point: Network attacker in radio range.
Trigger and result: Attacker-controlled node name executes JavaScript.

Live Threat

Current exploitation, exposure, and threat context

The MeshCore Card vulnerability presents a significant risk to organizations utilizing Home Assistant, potentially allowing unauthorized actors to execute arbitrary JavaScript within the Home Assistant frontend. This could lead to the compromise of sensitive data or the disruption of services for users interacting with the affected card. Organizations should prioritize addressing this vulnerability due to its critical severity and the potential for widespread impact on user interfaces and data.

Likely attacker skill level: Low
Required access or conditions: Network access
Business risk or urgency: Critical

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability may allow an unauthenticated attacker to execute arbitrary JavaScript within the Home Assistant frontend. The attacker could leverage this by controlling a node within radio range, whether directly or indirectly connected. This could lead to unauthorized actions or data exposure within the Home Assistant environment.

Identify Home Assistant instances using the affected card.
Restrict network access to Home Assistant.
Update to the fixed version, verify, and monitor.

Frequently asked questions

What is the MeshCore Card for Home Assistant and its role in home automation?

The MeshCore Card is a specific component designed for Home Assistant, an open-source platform used for home automation. Its primary function is to display information within the Home Assistant user interface, particularly data related to mesh networking devices.

What type of weakness does CVE-2026-45323 represent, and what does it mean?

CVE-2026-45323 is classified as a Cross-Site Scripting (XSS) vulnerability, specifically a CWE-79. This type of weakness allows an attacker to inject malicious scripts into a web page, which can then be executed by other users who view that page.

How can an attacker trigger the vulnerability in the MeshCore Card?

An attacker can exploit this by submitting a specially crafted node name. When this malicious name is rendered within the MeshCore Card without proper HTML escaping, it can lead to the execution of arbitrary JavaScript in the user's Home Assistant frontend.

What is the significance of CVE-2026-45323 for Home Assistant users?

This vulnerability poses a critical risk to Home Assistant users as it allows an unauthenticated attacker, positioned within radio range, to execute arbitrary JavaScript. This could result in unauthorized actions, data exposure, or disruption of services within the Home Assistant environment.

What are the recommended steps to address the MeshCore Card vulnerability?

To address this vulnerability, users should identify all Home Assistant instances using the affected MeshCore Card, restrict network access to Home Assistant, and promptly update the MeshCore Card to version 0.3.3 or later. Verifying the update and ongoing monitoring are also crucial steps.

References

github.com/jpettitt/meshcore-card/security/advisories/GHSA-5vrg-…

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.