Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
DHCP is link-local so AV:A over NVD's AV:N; unauthenticated client (PR:N) but admin must view the leases page (UI:R); XSS in admin session crosses scope (S:C) enabling full router config C/I/A.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
OpenWrt is a Linux operating system targeting embedded devices. Prior to 25.12.5, odhcpd writes a DHCPv6 client FQDN option 39 hostname into /tmp/odhcpd.leases through src/statefiles.c statefiles_write_state6() and statefiles_write_state4() without escaping, allowing newline injection of forged lease lines that LuCI rpcd-mod-luci getDHCPLeases displays through htdocs/luci-static/resources/view/status/include/40_dhcp.js and htdocs/luci-static/resources/luci.js dom.append as live HTML in the Active DHCPv6 Leases admin page. This vulnerability is fixed in 25.12.5.
AnalysisAI
Stored cross-site scripting in OpenWrt's default odhcpd server (all releases prior to 25.12.5) lets a network-adjacent DHCP client inject forged lease records that execute as HTML/JavaScript in a router administrator's browser. The client-supplied DHCPv6 FQDN option 39 (and DHCPv4 option 12) hostname is written unescaped into /tmp/odhcpd.leases, enabling newline injection of attacker-controlled fields that LuCI's Active DHCPv6 Leases page renders via unsafe dom.append. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires odhcpd running as the DHCPv6/DHCPv4 server, which is the default OpenWrt configuration, and an attacker able to send DHCP requests on the local link with a crafted FQDN option 39 / option 12 hostname carrying an embedded newline plus HTML/JS. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 3.1 score is 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H), reflecting an unauthenticated injector, scope change into the admin session, and full C/I/A impact on a router. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with access to the LAN/DHCP link connects a device that requests a lease with a crafted DHCPv6 FQDN option 39 (or DHCPv4 option 12) hostname containing an embedded newline and an HTML/JavaScript payload. odhcpd writes the forged line into /tmp/odhcpd.leases, and when the router administrator later opens the LuCI Active DHCPv6 Leases page, the payload executes in their authenticated session, allowing router configuration changes. … |
| Remediation | Vendor-released patch: OpenWrt 25.12.5 - upgrade firmware via the OpenWrt Firmware Selector (https://firmware-selector.openwrt.org/?version=25.12.5) or the release page (https://github.com/openwrt/openwrt/releases/tag/v25.12.5), which also bundles fixes for several other odhcpd CVEs (CVE-2026-53921, -53918, -53920, -53922, -55606). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, inventory all OpenWrt deployments and identify systems running versions prior to 25.12.5. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
In wlan service, there is a possible out of bounds write due to improper input validation. Rated critical severity (CVSS
An issue was discovered in OpenWrt 18.06.0 to 18.06.6 and 19.07.0, and LEDE 17.01.0 to 17.01.7. Rated high severity (CVS
cgi_handle_request in uhttpd in OpenWrt through 18.06.1 and LEDE through 17.01 has unauthenticated reflected XSS via the
In wlan service, there is a possible out of bounds write due to an incorrect bounds check. Rated critical severity (CVSS
An exploitable information leak vulnerability exists in the ustream-ssl library of OpenWrt, versions 18.06.4 and 15.05.1
An exploitable information leak vulnerability exists in the ustream-ssl library of OpenWrt, versions 18.06.4 and 15.05.1
Remote privilege escalation in Android WLAN AP driver via packet injection.
In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local es
In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local es
In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local es
Remote code execution in OpenWrt's mDNS daemon (versions before 24.10.6 and 25.12.1) allows unauthenticated attackers to
Remote code execution in OpenWrt mdns daemon (versions before 24.10.6 and 25.12.1) allows unauthenticated attackers to c
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44748