Malla dashboard flaw lets Meshtastic node names execute JavaScript

If Malla is pointed at public or loosely trusted Meshtastic data, a node name can turn into a browser-side attack path: a malicious long_name or short_name arrives over MQTT, gets stored in SQLite without sanitization, and then renders into the web UI as active JavaScript. That means a single hostile node can compromise every dashboard visitor, not just one unlucky session.

GitLab’s advisory for CVE-2026-43980, published June 3, 2026, said the issue affects Malla versions 0.1.7 and earlier, with no patched version listed in the GitHub advisory entry at the time of publication. The vulnerable code paths include traceroute_graph.html, map.html, packet_detail.html, and relay_node_analysis.js, which shows the bad data was not confined to one corner of the interface. The advisory also included a proof-of-concept using a NODEINFO_APP packet with HTML payload in long_name, underscoring that this was a working stored cross-site scripting chain, not a theoretical parsing bug.

The risk is higher anywhere Malla consumes shared mesh data. Meshtastic provides a public MQTT service and documents it as a way to bridge mesh traffic to the internet, while also warning that connecting to the public server may publish the locations of all nodes in a mesh. Its MQTT module can send a map report that includes a node’s long and short name and ID, position, hardware model, role, firmware version, LoRa region, modem preset, and primary channel name. In other words, the fields that Malla displays are exactly the ones that can be exposed across a public feed.

That matters because Meshtastic’s own configuration docs define long name as a personalized device name and short name as a personalized short identifier, and Node Info Broadcast Seconds controls how often NodeInfo messages carrying those names are broadcast. Repeated broadcasts make these identifiers normal, persistent traffic on the mesh and over MQTT, which gives an attacker a reliable delivery path if the feed is open to untrusted participants.

The practical move today is simple: treat public MQTT input as hostile until Malla ships a fix, and keep version 0.1.7 and earlier off any dashboard that faces shared or semi-public data. Operators should stop relying on unescaped node metadata in browser views, isolate dashboards from public brokers where possible, and assume map, traceroute, and packet-detail screens can all be used as injection points. OWASP’s XSS guidance calls out the core danger clearly: once script lands in a trusted page, the browser becomes the weakest link.