Skip to main content

luci-app-banip CVE-2026-62184

HIGH
Improper Encoding or Escaping of Output (CWE-116)
2026-07-13 VulnCheck
8.7
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Remotely reachable log input with no auth or interaction (AV:N/AC:L/PR:N/UI:N); impact is denial of the blocking control affecting availability only (A:H), with no confidentiality or integrity effect.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
Jul 13, 2026 - 22:02 vuln.today
Analysis Generated
Jul 13, 2026 - 22:02 vuln.today
CVE Published
Jul 13, 2026 - 21:30 cve.org
HIGH 8.7

DescriptionCVE.org

luci-app-banip contains a log parsing vulnerability where the awk-based parser extracts the first IPv4 address from log lines regardless of field position, allowing attackers to inject arbitrary IPs via attacker-controlled fields like usernames. An unauthenticated remote attacker can inject an IP address into the login username field, causing banIP to block the wrong target while the real attacker remains unblocked.

AnalysisAI

Ban-list poisoning in OpenWrt's luci-app-banip (banIP) before 1.8.10 lets an unauthenticated remote attacker steer the automated IP-blocking engine at an arbitrary victim. Because the awk-based log monitor grabs the first IPv4 address it finds on a log line regardless of field position, an attacker can embed a spoofed IP inside an attacker-controlled field such as a login username; banIP then bans that injected address while the real attacker's source IP is never blocked. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach exposed logged service
Delivery
Submit login with spoofed IP in username
Exploit
awk parser extracts forged first IP
Execution
banIP adds victim IP to ban set
Impact
Legitimate target blocked while attacker evades ban

Vulnerability AssessmentAI

Exploitation Exploitation requires that banIP's log-monitoring feature is enabled with a Log Term matching a log source that echoes an attacker-controlled free-form field (classically a failed-login username, but any monitored line reflecting unvalidated input works), and that the monitored service is reachable by the attacker to generate such log entries. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H, base 8.7 High) is internally consistent with the description: remote, low-complexity, unauthenticated, no user interaction, and impact confined to availability (VA:H) with no confidentiality or integrity loss. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker repeatedly hits an internet-facing service on the OpenWrt device (for example SSH or a web login) using a username crafted to contain a spoofed IPv4 string such as the address of a legitimate partner or upstream service. banIP's log monitor extracts that injected address from the failed-login log line and adds it to the firewall ban set, cutting off the innocent victim while the attacker's real source IP continues unblocked. …
Remediation Upgrade luci-app-banip to the vendor-released patch version 1.8.10 or later (fix commit d9bbc372e29618a8807b693a1ccf6d0e42cd196c; advisory GHSA-r6hx-4f83-vp8m). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, inventory all OpenWrt systems running banIP versions before 1.8.10 and assess internet-facing criticality; simultaneously begin testing luci-app-banip 1.8.10 in a lab environment. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Luci

View all
CVE-2019-12272 CRITICAL
9.8 May 23

In OpenWrt LuCI through 0.10, the endpoints admin/status/realtime/bandwidth_status and admin/status/realtime/wireless_st

CVE-2026-61876 CRITICAL
9.4 Jul 12

Stored cross-site scripting in OpenWrt's LuCI web interface lets an adjacent-network attacker inject executable HTML/Jav

CVE-2023-24181 MEDIUM POC
5.4 Apr 10

LuCI openwrt-22.03 branch git-22.361.69894-438c598 was discovered to contain a reflected cross-site scripting (XSS) vuln

CVE-2022-41435 MEDIUM POC
5.4 Nov 03

OpenWRT LuCI version git-22.140.66206-02913be was discovered to contain a stored cross-site scripting (XSS) vulnerabilit

CVE-2020-10871 MEDIUM POC
5.3 Mar 23

In OpenWrt LuCI git-20.x, remote unauthenticated attackers can retrieve the list of installed packages and services. Rat

CVE-2026-58000 HIGH
8.7 Jun 29

Root command injection in OpenWrt's LuCI web interface (luci-proto-openvpn through 0.11.1) lets an authenticated user wi

CVE-2026-61875 HIGH
8.7 Jul 12

Stored cross-site scripting in OpenWrt's luci-app-upnp lets an unauthenticated LAN client persist a JavaScript payload t

CVE-2026-59260 HIGH
8.7 Jul 12

Privilege escalation to root in OpenWrt's luci-app-samba4 (LuCI web interface) lets authenticated delegated users invoke

CVE-2026-32721 HIGH
8.6 Mar 19

A stored cross-site scripting (XSS) vulnerability exists in the OpenWrt LuCI web interface where malicious JavaScript co

CVE-2026-57999 HIGH
7.7 Jun 29

Authenticated root command injection in the OpenWrt LuCI community Tailscale app (luci-app-tailscale-community) lets a l

CVE-2021-27821 MEDIUM
6.1 May 25

The Web Interface for OpenWRT LuCI version 19.07 and lower has been discovered to have a cross-site scripting vulnerabil

CVE-2013-4482 MEDIUM
6.2 Nov 23

Untrusted search path vulnerability in python-paste-script (aka paster) in Luci 0.26.0, when started using the initscrip

Share

CVE-2026-62184 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy