Severity by source
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Adjacent DHCPv6 injection needs no web auth (PR:N) but admin must view the page (UI:R); XSS runs in the admin session across a scope boundary (S:C) enabling full router-panel compromise (C:H/I:H, A:N).
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
LuCI versions fail to properly encode DHCPv6 lease hostnames before rendering in status tables, allowing adjacent network attackers to inject HTML markup. Attackers can send a DHCPv6 Client FQDN containing script tags that execute in the administrator's browser when viewing DHCP lease pages.
AnalysisAI
Stored cross-site scripting in OpenWrt's LuCI web interface lets an adjacent-network attacker inject executable HTML/JavaScript by supplying a malicious DHCPv6 Client FQDN hostname, which the DHCP lease status tables render without proper output encoding. When an administrator views the DHCP lease page, the payload executes in their authenticated browser session, enabling router admin-panel compromise. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to be on the same adjacent/link-local network as the target OpenWrt router (AV:A) and to be able to obtain a DHCPv6 lease - i.e., the router must have the DHCPv6 server (odhcpd) enabled and accept the client's FQDN hostname option, which is default behavior on OpenWrt LAN interfaces. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:A/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H with subsequent-system impact SC:H/SI:H/SA:H) drives the 9.4 Critical score, largely because 4.0 models the scope change into the admin's browser/router as high subsequent-system impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker connected to the router's LAN or Wi-Fi (including a guest network) sends a crafted DHCPv6 solicit/request carrying a Client FQDN option whose hostname embeds a script payload such as <script>...</script>. The malicious hostname is stored in the lease table, and when the router administrator later opens the DHCP/DHCPv6 leases status page in LuCI, the script executes in their authenticated session - allowing session/credential theft or CSRF-style configuration changes to the router. … |
| Remediation | Upgrade LuCI to the fixed release identified in the OpenWrt advisory GHSA-686p-p8p9-x6fh (https://github.com/openwrt/luci/security/advisories/GHSA-686p-p8p9-x6fh); an exact patched version number is not present in the supplied data, so treat this as Patch available per vendor advisory and confirm the target version from that advisory before deploying (via the LuCI 'Software' page or opkg update/upgrade of the luci packages). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all OpenWrt deployments in your infrastructure and disable LuCI web interface where operationally feasible. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
In OpenWrt LuCI through 0.10, the endpoints admin/status/realtime/bandwidth_status and admin/status/realtime/wireless_st
LuCI openwrt-22.03 branch git-22.361.69894-438c598 was discovered to contain a reflected cross-site scripting (XSS) vuln
OpenWRT LuCI version git-22.140.66206-02913be was discovered to contain a stored cross-site scripting (XSS) vulnerabilit
In OpenWrt LuCI git-20.x, remote unauthenticated attackers can retrieve the list of installed packages and services. Rat
Root command injection in OpenWrt's LuCI web interface (luci-proto-openvpn through 0.11.1) lets an authenticated user wi
Ban-list poisoning in OpenWrt's luci-app-banip (banIP) before 1.8.10 lets an unauthenticated remote attacker steer the a
Stored cross-site scripting in OpenWrt's luci-app-upnp lets an unauthenticated LAN client persist a JavaScript payload t
Privilege escalation to root in OpenWrt's luci-app-samba4 (LuCI web interface) lets authenticated delegated users invoke
A stored cross-site scripting (XSS) vulnerability exists in the OpenWrt LuCI web interface where malicious JavaScript co
Authenticated root command injection in the OpenWrt LuCI community Tailscale app (luci-app-tailscale-community) lets a l
The Web Interface for OpenWRT LuCI version 19.07 and lower has been discovered to have a cross-site scripting vulnerabil
Untrusted search path vulnerability in python-paste-script (aka paster) in Luci 0.26.0, when started using the initscrip
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43236
GHSA-8gvq-r3c7-vwmv