this post was submitted on 03 Jun 2026
47 points (100.0% liked)

homeassistant

19621 readers
11 users here now

Home Assistant is open source home automation that puts local control and privacy first.
Powered by a worldwide community of tinkerers and DIY enthusiasts.

Home Assistant can be self-installed on ProxMox, Raspberry Pi, or even purchased pre-installed: Home Assistant: Installation

Discussion of Home-Assistant adjacent topics is absolutely fine, within reason.
If you're not sure, DM @GreatAlbatross@feddit.uk

founded 3 years ago
MODERATORS
GreatAlbatross@feddit.uk
greatalbatross@lemmy.world
47
Rooting Home Assistant through MeshCore: XSS attacks with a LoRa node name | Sasha Romijn (mxsasha.eu)
submitted 6 days ago by litchralee@sh.itjust.works to c/homeassistant@lemmy.world
2 comments fedilink hide all child comments
 

cross-posted from: https://sh.itjust.works/post/61250326

A crafted MeshCore node name could compromise any Home Assistant instance running meshcore-card as soon as someone viewed a dashboard with that card.

The same XSS (cross-site scripting) pattern appears to be present in MeshCore-Home-Assistant-Panel-v2 and its HACS variant

To be abundantly clear, and the post goes into detail why, this is not a bug in MeshCore but rather in how web dashboards are not properly sanitizing untrusted input. In this case, the untrusted input is via a field that any malicious MeshCore node could send.

Well worth a read and a follow on their Mastodon.

top 2 comments
sorted by: hot top controversial new old
[โ€“] semperverus@lemmy.world 4 points 6 days ago (1 children)

So hey uh... Meshtastic is pretty cool

[โ€“] tribut@infosec.pub 3 points 5 days ago* (last edited 5 days ago)

This has nothing to do with meshcore as a protocol, the problem is that some HA addons don't treat untrusted input properly. The malicious name could have been transmitted via meshtastic or carrier pigeon, if another addon did the same dumb thing.