GHSA-ch57-39q2-4crmMediumCVSS 6.3

malla: Stored XSS via Meshtastic node names in multiple frontend pages

Published
June 3, 2026
Last Modified
June 3, 2026

🔗 CVE IDs covered (1)

📋 Description

Node names (long_name, short_name) received via MQTT are stored in SQLite without sanitization and rendered into the DOM without escaping. Any participant on a public Meshtastic MQTT broker can set a malicious node name that executes JavaScript in the browser of every Malla dashboard visitor.

Affected files:

  • src/malla/templates/traceroute_graph.html (line ~832)
  • src/malla/templates/map.html (lines ~945, 1078)
  • src/malla/templates/packet_detail.html (lines ~1402, 1452)
  • src/malla/static/js/relay_node_analysis.js (line ~124)

Steps to reproduce

  1. Publish a Meshtastic NODEINFO_APP packet to any public MQTT broker with long_name set to a HTML entity i.e <img src=x onerror=alert(1)>
  2. Wait for malla-capture to store it
  3. Open the dashboard

Impact

Allows unauthenticated remote attackers to execute arbitrary JavaScript in the browser, such as:

  • Phishing overlays
  • Force redirect to malicious websites
  • Injection of arbitrary third-party scripts (no CSP restrictions)
  • Browser resource abuse
  • Persistent dashboard denial of service

🎯 Affected products1

  • pip/malla:<= 0.1.7

🔗 References (3)