Mxsasha

**Name of the Vulnerable Software and Affected Versions** MeshCore Card versions prior to 0.3.3 **Description** MeshCore Card provides a Lovelace card for Home Assistant. Node names are rendered without HTML escaping in the `meshcore-card`, which allows any node within direct or indirect radio range to execute arbitrary JavaScript in the Home Assistant frontend of users viewing the card. This is a Cross-Site Scripting (XSS) issue, where malicious scripts are injected into web pages viewed by other users. **Recommendations** Update to version 0.3.3.

**Name of the Vulnerable Software and Affected Versions** LuCI versions prior to 24.10.5 and 25.12.0 **Description** LuCI, the OpenWrt Configuration Interface, is affected by a stored Cross-Site Scripting (XSS) issue within the wireless scan modal. The system renders SSID values from scan results as raw HTML without proper sanitization. The `wireless.js` file within the `luci-mod-network` package utilizes a template literal to pass SSIDs to `dom.append()`, which then processes them through `innerHTML`. This allows an attacker to create a malicious SSID containing arbitrary HTML/JavaScript code. Exploitation requires a user to actively open the wireless scan modal, such as when connecting to a Wi-Fi access point or surveying nearby channels. The issue impacts OpenWrt versions newer than 23.05/22.03 up to the patched releases (24.10.6 and 25.12.1). The vulnerability is triggered by crafted SSIDs in the wireless scan modal. **Recommendations** LuCI versions prior to 24.10.5 should be updated to version 24.10.5 or later. LuCI versions prior to 25.12.0 should be updated to version 25.12.0 or later.