GHSA-ch57-39q2-4crm
Suggest an improvement- Source
- https://github.com/advisories/GHSA-ch57-39q2-4crm
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-ch57-39q2-4crm/GHSA-ch57-39q2-4crm.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-ch57-39q2-4crm
- Aliases
-
- CVE-2026-43980
- Published
- 2026-06-03T21:06:27Z
- Modified
- 2026-06-03T21:15:07.786126296Z
- Severity
-
- 6.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L CVSS Calculator
- Summary
- malla: Stored XSS via Meshtastic node names in multiple frontend pages
- Details
-
Node names (longname, shortname) received via MQTT are stored in SQLite without sanitization and rendered into the DOM without escaping. Any participant on a public Meshtastic MQTT broker can set a malicious node name that executes JavaScript in the browser of every Malla dashboard visitor.
Affected files:
- src/malla/templates/traceroute_graph.html (line ~832)
- src/malla/templates/map.html (lines ~945, 1078)
- src/malla/templates/packet_detail.html (lines ~1402, 1452)
- src/malla/static/js/relaynodeanalysis.js (line ~124)
Steps to reproduce
- Publish a Meshtastic NODEINFOAPP packet to any public MQTT broker with longname set to a HTML entity i.e
<img src=x onerror=alert(1)> - Wait for malla-capture to store it
- Open the dashboard
Impact
Allows unauthenticated remote attackers to execute arbitrary JavaScript in the browser, such as:
- Phishing overlays
- Force redirect to malicious websites
- Injection of arbitrary third-party scripts (no CSP restrictions)
- Browser resource abuse
- Persistent dashboard denial of service
- Database specific
{ "github_reviewed_at": "2026-06-03T21:06:27Z", "cwe_ids": [ "CWE-79" ], "severity": "MODERATE", "github_reviewed": true, "nvd_published_at": null }- References
Affected packages
PyPI / malla
Package
- Name
- malla
- View open source insights on deps.dev
- Purl
- pkg:pypi/malla