Skip to main content

OpenWrt LuCI CVE-2026-61876

| EUVDEUVD-2026-43236 CRITICAL
Cross-site Scripting (XSS) (CWE-79)
2026-07-12 VulnCheck GHSA-8gvq-r3c7-vwmv
9.4
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
9.4 CRITICAL
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.5 HIGH

Adjacent DHCPv6 injection needs no web auth (PR:N) but admin must view the page (UI:R); XSS runs in the admin session across a scope boundary (S:C) enabling full router-panel compromise (C:H/I:H, A:N).

3.1 AV:A/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
4.0 AV:A/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 12, 2026 - 12:47 vuln.today

DescriptionCVE.org

LuCI versions fail to properly encode DHCPv6 lease hostnames before rendering in status tables, allowing adjacent network attackers to inject HTML markup. Attackers can send a DHCPv6 Client FQDN containing script tags that execute in the administrator's browser when viewing DHCP lease pages.

AnalysisAI

Stored cross-site scripting in OpenWrt's LuCI web interface lets an adjacent-network attacker inject executable HTML/JavaScript by supplying a malicious DHCPv6 Client FQDN hostname, which the DHCP lease status tables render without proper output encoding. When an administrator views the DHCP lease page, the payload executes in their authenticated browser session, enabling router admin-panel compromise. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Join adjacent LAN/Wi-Fi segment
Delivery
Send DHCPv6 request with malicious Client FQDN
Exploit
Hostname stored in lease table
Execution
Admin opens DHCP lease status page
Persist
Script executes in admin session
Impact
Hijack session / alter router config

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to be on the same adjacent/link-local network as the target OpenWrt router (AV:A) and to be able to obtain a DHCPv6 lease - i.e., the router must have the DHCPv6 server (odhcpd) enabled and accept the client's FQDN hostname option, which is default behavior on OpenWrt LAN interfaces. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:A/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H with subsequent-system impact SC:H/SI:H/SA:H) drives the 9.4 Critical score, largely because 4.0 models the scope change into the admin's browser/router as high subsequent-system impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker connected to the router's LAN or Wi-Fi (including a guest network) sends a crafted DHCPv6 solicit/request carrying a Client FQDN option whose hostname embeds a script payload such as <script>...</script>. The malicious hostname is stored in the lease table, and when the router administrator later opens the DHCP/DHCPv6 leases status page in LuCI, the script executes in their authenticated session - allowing session/credential theft or CSRF-style configuration changes to the router. …
Remediation Upgrade LuCI to the fixed release identified in the OpenWrt advisory GHSA-686p-p8p9-x6fh (https://github.com/openwrt/luci/security/advisories/GHSA-686p-p8p9-x6fh); an exact patched version number is not present in the supplied data, so treat this as Patch available per vendor advisory and confirm the target version from that advisory before deploying (via the LuCI 'Software' page or opkg update/upgrade of the luci packages). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all OpenWrt deployments in your infrastructure and disable LuCI web interface where operationally feasible. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Luci

View all
CVE-2019-12272 CRITICAL
9.8 May 23

In OpenWrt LuCI through 0.10, the endpoints admin/status/realtime/bandwidth_status and admin/status/realtime/wireless_st

CVE-2023-24181 MEDIUM POC
5.4 Apr 10

LuCI openwrt-22.03 branch git-22.361.69894-438c598 was discovered to contain a reflected cross-site scripting (XSS) vuln

CVE-2022-41435 MEDIUM POC
5.4 Nov 03

OpenWRT LuCI version git-22.140.66206-02913be was discovered to contain a stored cross-site scripting (XSS) vulnerabilit

CVE-2020-10871 MEDIUM POC
5.3 Mar 23

In OpenWrt LuCI git-20.x, remote unauthenticated attackers can retrieve the list of installed packages and services. Rat

CVE-2026-58000 HIGH
8.7 Jun 29

Root command injection in OpenWrt's LuCI web interface (luci-proto-openvpn through 0.11.1) lets an authenticated user wi

CVE-2026-62184 HIGH
8.7 Jul 13

Ban-list poisoning in OpenWrt's luci-app-banip (banIP) before 1.8.10 lets an unauthenticated remote attacker steer the a

CVE-2026-61875 HIGH
8.7 Jul 12

Stored cross-site scripting in OpenWrt's luci-app-upnp lets an unauthenticated LAN client persist a JavaScript payload t

CVE-2026-59260 HIGH
8.7 Jul 12

Privilege escalation to root in OpenWrt's luci-app-samba4 (LuCI web interface) lets authenticated delegated users invoke

CVE-2026-32721 HIGH
8.6 Mar 19

A stored cross-site scripting (XSS) vulnerability exists in the OpenWrt LuCI web interface where malicious JavaScript co

CVE-2026-57999 HIGH
7.7 Jun 29

Authenticated root command injection in the OpenWrt LuCI community Tailscale app (luci-app-tailscale-community) lets a l

CVE-2021-27821 MEDIUM
6.1 May 25

The Web Interface for OpenWRT LuCI version 19.07 and lower has been discovered to have a cross-site scripting vulnerabil

CVE-2013-4482 MEDIUM
6.2 Nov 23

Untrusted search path vulnerability in python-paste-script (aka paster) in Luci 0.26.0, when started using the initscrip

Share

CVE-2026-61876 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy