Skip to main content
CVE-2026-61876 CRITICAL Act Now

Stored cross-site scripting in OpenWrt's LuCI web interface lets an adjacent-network attacker inject executable HTML/JavaScript by supplying a malicious DHCPv6 Client FQDN hostname, which the DHCP lease status tables render without proper output encoding. When an administrator views the DHCP lease page, the payload executes in their authenticated browser session, enabling router admin-panel compromise. Rated CVSS 4.0 9.4 (Critical) by the vendor; no public exploit identified at time of analysis and it is not listed in CISA KEV.

XSS Luci
NVD GitHub VulDB
CVSS 4.0
9.4
EPSS
0.2%
CVE-2026-56271 CRITICAL PATCH Act Now

Authentication bypass in Flowise 3.0.13 and earlier lets remote unauthenticated attackers forge valid JWTs and impersonate any user, including administrators, because the enterprise passport authentication middleware silently falls back to publicly known hardcoded secrets ('auth_token', 'refresh_token') and default audience/issuer values ('AUDIENCE', 'ISSUER') whenever the JWT_AUTH_TOKEN_SECRET, JWT_REFRESH_TOKEN_SECRET, JWT_AUDIENCE, and JWT_ISSUER environment variables are unset. Reported by VulnCheck and rated CVSS 4.0 9.3 (Critical), it grants full account takeover, though there is no public exploit identified at time of analysis and no CISA KEV listing.

Authentication Bypass Flowise
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.4%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy