Node names (longname, shortname) received via MQTT are stored in SQLite without sanitization and rendered into the DOM without escaping. Any participant on a public Meshtastic MQTT broker can set a malicious node name that executes JavaScript in the browser of every Malla dashboard visitor.
Affected files:
Steps to reproduce
<img src=x onerror=alert(1)>Impact
Allows unauthenticated remote attackers to execute arbitrary JavaScript in the browser, such as: