this post was submitted on 03 Jun 2026
1 points (100.0% liked)

MeshCore

267 readers
10 users here now

Everthing MeshCore: Hardware, Software, general disscussion...

founded 8 months ago
MODERATORS
ices@feddit.org
1
Rooting Home Assistant through MeshCore: XSS attacks with a LoRa node name | Sasha Romijn (mxsasha.eu)
submitted 1 week ago by litchralee@sh.itjust.works to c/Meshcore@feddit.org
0 comments fedilink hide all child comments
 

A crafted MeshCore node name could compromise any Home Assistant instance running meshcore-card as soon as someone viewed a dashboard with that card.

The same XSS (cross-site scripting) pattern appears to be present in MeshCore-Home-Assistant-Panel-v2 and its HACS variant

To be abundantly clear, and the post goes into detail why, this is not a bug in MeshCore but rather in how web dashboards are not properly sanitizing untrusted input. In this case, the untrusted input is via a field that any malicious MeshCore node could send.

Well worth a read and a follow on their Mastodon.

no comments (yet)
sorted by: hot top controversial new old
there doesn't seem to be anything here