malla CVE-2026-43980
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Lifecycle Timeline
2DescriptionGitHub Advisory
Node names (long_name, short_name) received via MQTT are stored in SQLite without sanitization and rendered into the DOM without escaping. Any participant on a public Meshtastic MQTT broker can set a malicious node name that executes JavaScript in the browser of every Malla dashboard visitor.
Affected files:
- src/malla/templates/traceroute_graph.html (line ~832)
- src/malla/templates/map.html (lines ~945, 1078)
- src/malla/templates/packet_detail.html (lines ~1402, 1452)
- src/malla/static/js/relay_node_analysis.js (line ~124)
Steps to reproduce
- Publish a Meshtastic NODEINFO_APP packet to any public MQTT broker with long_name set to a HTML entity i.e
<img src=x onerror=alert(1)> - Wait for malla-capture to store it
- Open the dashboard
Impact
Allows unauthenticated remote attackers to execute arbitrary JavaScript in the browser, such as:
- Phishing overlays
- Force redirect to malicious websites
- Injection of arbitrary third-party scripts (no CSP restrictions)
- Browser resource abuse
- Persistent dashboard denial of service
AnalysisAI
Stored XSS in the malla Meshtastic dashboard (pip/malla <= 0.1.7) allows any unauthenticated participant on a public MQTT broker to execute arbitrary JavaScript in the browser of every dashboard visitor. Meshtastic node names (long_name, short_name) received via MQTT are stored in SQLite without sanitization and interpolated directly into multiple HTML templates and frontend JavaScript files without output escaping. No CSP restrictions are in place, compounding impact. No public exploit identified at time of analysis, though full reproduction steps are published in GHSA-ch57-39q2-4crm.
Technical ContextAI
malla is a Python pip package (pkg:pip/malla) that captures and visualizes Meshtastic LoRa mesh network traffic ingested from MQTT brokers and stored in SQLite. The root cause is CWE-79 (Stored Cross-Site Scripting): node identity fields from NODEINFO_APP MQTT packets are persisted to the database without sanitization and later interpolated into HTML output via string concatenation - bypassing all output encoding. The commit diff (4086e2b5f61615a813b70b25bc76095083552135) confirms the vulnerable pattern: functions like esc() were used inconsistently and string-built HTML (e.g., innerHTML-style concatenation with raw node names) existed across four locations - src/malla/templates/traceroute_graph.html (~line 832), src/malla/templates/map.html (~lines 945, 1078), src/malla/templates/packet_detail.html (~lines 1402, 1452), and src/malla/static/js/relay_node_analysis.js (~line 124). The fix migrates to DOM API methods (textNode, el()) and introduces safeUrl/safePath helpers that inherently prevent XSS by construction.
RemediationAI
An upstream fix is available via commit 4086e2b5f61615a813b70b25bc76095083552135 (https://github.com/zenitraM/malla/commit/4086e2b5f61615a813b70b25bc76095083552135), which replaces HTML string concatenation with DOM API methods and introduces safeUrl/safePath helpers across the affected frontend files. However, the advisory records 'fixed in: None' for a released PyPI package version - a patched pip release has not been confirmed independently, meaning operators must apply the commit manually or build from patched source. As a compensating control, restrict access to the malla dashboard to trusted internal network segments or authenticated users only, since the attack requires a victim to browse the dashboard. Implementing a Content Security Policy (CSP) header that restricts script execution to known origins would substantially reduce impact if patching is delayed - the advisory explicitly notes no CSP is currently present, which is what enables arbitrary third-party script injection. Restricting which MQTT brokers malla-capture connects to (private, controlled brokers rather than public ones) prevents an external attacker from ever injecting a malicious node name into the database.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-ch57-39q2-4crm