Skip to main content

OpenWrt odhcpd CVE-2026-62948

| EUVDEUVD-2026-44748 CRITICAL
Cross-site Scripting (XSS) (CWE-79)
2026-07-15 GitHub_M
9.6
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

DHCP is link-local so AV:A over NVD's AV:N; unauthenticated client (PR:N) but admin must view the leases page (UI:R); XSS in admin session crosses scope (S:C) enabling full router config C/I/A.

3.1 AV:A/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
4.0 AV:A/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch available
Jul 15, 2026 - 21:18 EUVD
Source Code Evidence Fetched
Jul 15, 2026 - 18:34 vuln.today
Analysis Generated
Jul 15, 2026 - 18:34 vuln.today
CVE Published
Jul 15, 2026 - 17:50 cve.org
CRITICAL 9.6

DescriptionCVE.org

OpenWrt is a Linux operating system targeting embedded devices. Prior to 25.12.5, odhcpd writes a DHCPv6 client FQDN option 39 hostname into /tmp/odhcpd.leases through src/statefiles.c statefiles_write_state6() and statefiles_write_state4() without escaping, allowing newline injection of forged lease lines that LuCI rpcd-mod-luci getDHCPLeases displays through htdocs/luci-static/resources/view/status/include/40_dhcp.js and htdocs/luci-static/resources/luci.js dom.append as live HTML in the Active DHCPv6 Leases admin page. This vulnerability is fixed in 25.12.5.

AnalysisAI

Stored cross-site scripting in OpenWrt's default odhcpd server (all releases prior to 25.12.5) lets a network-adjacent DHCP client inject forged lease records that execute as HTML/JavaScript in a router administrator's browser. The client-supplied DHCPv6 FQDN option 39 (and DHCPv4 option 12) hostname is written unescaped into /tmp/odhcpd.leases, enabling newline injection of attacker-controlled fields that LuCI's Active DHCPv6 Leases page renders via unsafe dom.append. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain L2 access to DHCP link
Delivery
Send lease request with crafted FQDN hostname
Exploit
odhcpd writes unescaped forged line to leases file
Execution
Admin opens LuCI Active Leases page
Persist
dom.append renders payload as live HTML
Impact
Execute JS in admin session, alter router config

Vulnerability AssessmentAI

Exploitation Requires odhcpd running as the DHCPv6/DHCPv4 server, which is the default OpenWrt configuration, and an attacker able to send DHCP requests on the local link with a crafted FQDN option 39 / option 12 hostname carrying an embedded newline plus HTML/JS. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 3.1 score is 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H), reflecting an unauthenticated injector, scope change into the admin session, and full C/I/A impact on a router. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with access to the LAN/DHCP link connects a device that requests a lease with a crafted DHCPv6 FQDN option 39 (or DHCPv4 option 12) hostname containing an embedded newline and an HTML/JavaScript payload. odhcpd writes the forged line into /tmp/odhcpd.leases, and when the router administrator later opens the LuCI Active DHCPv6 Leases page, the payload executes in their authenticated session, allowing router configuration changes. …
Remediation Vendor-released patch: OpenWrt 25.12.5 - upgrade firmware via the OpenWrt Firmware Selector (https://firmware-selector.openwrt.org/?version=25.12.5) or the release page (https://github.com/openwrt/openwrt/releases/tag/v25.12.5), which also bundles fixes for several other odhcpd CVEs (CVE-2026-53921, -53918, -53920, -53922, -55606). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, inventory all OpenWrt deployments and identify systems running versions prior to 25.12.5. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2024-20017 CRITICAL POC
9.8 Mar 04

In wlan service, there is a possible out of bounds write due to improper input validation. Rated critical severity (CVSS

CVE-2020-7982 HIGH POC
8.1 Mar 16

An issue was discovered in OpenWrt 18.06.0 to 18.06.6 and 19.07.0, and LEDE 17.01.0 to 17.01.7. Rated high severity (CVS

CVE-2018-19630 MEDIUM POC
6.1 Nov 28

cgi_handle_request in uhttpd in OpenWrt through 18.06.1 and LEDE through 17.01 has unauthenticated reflected XSS via the

CVE-2025-20654 CRITICAL
9.8 Apr 07

In wlan service, there is a possible out of bounds write due to an incorrect bounds check. Rated critical severity (CVSS

CVE-2019-5102 MEDIUM POC
5.9 Nov 18

An exploitable information leak vulnerability exists in the ustream-ssl library of OpenWrt, versions 18.06.4 and 15.05.1

CVE-2019-5101 MEDIUM POC
5.9 Nov 18

An exploitable information leak vulnerability exists in the ustream-ssl library of OpenWrt, versions 18.06.4 and 15.05.1

CVE-2025-20674 CRITICAL
9.8 Jun 02

Remote privilege escalation in Android WLAN AP driver via packet injection.

CVE-2025-20683 CRITICAL
9.8 Jul 08

In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local es

CVE-2025-20682 CRITICAL
9.8 Jul 08

In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local es

CVE-2025-20681 CRITICAL
9.8 Jul 08

In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local es

CVE-2026-30872 CRITICAL
9.8 Mar 19

Remote code execution in OpenWrt's mDNS daemon (versions before 24.10.6 and 25.12.1) allows unauthenticated attackers to

CVE-2026-30871 CRITICAL
9.8 Mar 19

Remote code execution in OpenWrt mdns daemon (versions before 24.10.6 and 25.12.1) allows unauthenticated attackers to c

Share

CVE-2026-62948 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy