Skip to main content

luci-app-upnp EUVDEUVD-2026-43235

| CVE-2026-61875 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-12 VulnCheck GHSA-xwgp-pprm-vcx3
8.7
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.3 CRITICAL

Unauthenticated LAN request (PR:N, AV:N) but payload fires only when an admin views the page (UI:R); stored XSS executes in the admin origin, changing scope (S:C) with high confidentiality/integrity impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 12, 2026 - 12:46 vuln.today

DescriptionCVE.org

luci-app-upnp contains a stored cross-site scripting vulnerability that allows unauthenticated LAN clients to inject JavaScript via UPnP IGD AddPortMapping SOAP requests. Attackers can send malicious HTML in the NewPortMappingDescription field, which miniupnpd stores and luci-app-upnp renders without output encoding, executing the payload when administrators view the UPnP or Status pages.

AnalysisAI

Stored cross-site scripting in OpenWrt's luci-app-upnp lets an unauthenticated LAN client persist a JavaScript payload that executes in the router administrator's browser. By supplying malicious HTML in the NewPortMappingDescription field of a UPnP IGD AddPortMapping SOAP request, an attacker gets miniupnpd to store the value and luci-app-upnp to render it unencoded on the UPnP and Status pages. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Gain LAN network position
Delivery
Send crafted AddPortMapping SOAP request
Exploit
Inject script into NewPortMappingDescription
Install
miniupnpd stores malicious mapping
C2
Admin opens UPnP/Status page
Execute
Payload executes in admin session
Impact
Hijack router administration

Vulnerability AssessmentAI

Exploitation Requires that the UPnP IGD service (miniupnpd) is enabled and accepting AddPortMapping requests - the default when luci-app-upnp/miniupnpd are installed and turned on - and that the attacker can reach the UPnP control endpoint, which is normally exposed to LAN clients only (no authentication needed, consistent with PR:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:P) describes an unauthenticated, low-complexity attack whose only gating factor is passive user interaction - the admin merely viewing the UPnP or Status page - yielding high confidentiality and integrity impact to the vulnerable system (VC:H/VI:H) and a score of 8.7. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A malware-infected laptop or IoT device on the LAN sends a crafted UPnP AddPortMapping SOAP request to miniupnpd with a NewPortMappingDescription such as '<img src=x onerror=fetch("/cgi-bin/luci/...")>'. miniupnpd stores the mapping, and the next time the router administrator opens the LuCI UPnP or Status page, the script runs in the admin's authenticated session and can change router configuration or exfiltrate session data. …
Remediation Patch available per vendor advisory: apply the fixed luci-app-upnp package published via the OpenWrt/LuCI GitHub security advisory GHSA-8v49-6387-7f89 (https://github.com/openwrt/luci/security/advisories/GHSA-8v49-6387-7f89) by running 'opkg update && opkg upgrade luci-app-upnp' (or rebuilding firmware from patched sources); an exact fixed version number is not stated in the available data and should be taken from the advisory. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all OpenWrt instances for luci-app-upnp module presence; restrict web interface access to designated trusted networks via firewall rules. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Luci

View all
CVE-2019-12272 CRITICAL
9.8 May 23

In OpenWrt LuCI through 0.10, the endpoints admin/status/realtime/bandwidth_status and admin/status/realtime/wireless_st

CVE-2026-61876 CRITICAL
9.4 Jul 12

Stored cross-site scripting in OpenWrt's LuCI web interface lets an adjacent-network attacker inject executable HTML/Jav

CVE-2023-24181 MEDIUM POC
5.4 Apr 10

LuCI openwrt-22.03 branch git-22.361.69894-438c598 was discovered to contain a reflected cross-site scripting (XSS) vuln

CVE-2022-41435 MEDIUM POC
5.4 Nov 03

OpenWRT LuCI version git-22.140.66206-02913be was discovered to contain a stored cross-site scripting (XSS) vulnerabilit

CVE-2020-10871 MEDIUM POC
5.3 Mar 23

In OpenWrt LuCI git-20.x, remote unauthenticated attackers can retrieve the list of installed packages and services. Rat

CVE-2026-58000 HIGH
8.7 Jun 29

Root command injection in OpenWrt's LuCI web interface (luci-proto-openvpn through 0.11.1) lets an authenticated user wi

CVE-2026-62184 HIGH
8.7 Jul 13

Ban-list poisoning in OpenWrt's luci-app-banip (banIP) before 1.8.10 lets an unauthenticated remote attacker steer the a

CVE-2026-59260 HIGH
8.7 Jul 12

Privilege escalation to root in OpenWrt's luci-app-samba4 (LuCI web interface) lets authenticated delegated users invoke

CVE-2026-32721 HIGH
8.6 Mar 19

A stored cross-site scripting (XSS) vulnerability exists in the OpenWrt LuCI web interface where malicious JavaScript co

CVE-2026-57999 HIGH
7.7 Jun 29

Authenticated root command injection in the OpenWrt LuCI community Tailscale app (luci-app-tailscale-community) lets a l

CVE-2021-27821 MEDIUM
6.1 May 25

The Web Interface for OpenWRT LuCI version 19.07 and lower has been discovered to have a cross-site scripting vulnerabil

CVE-2013-4482 MEDIUM
6.2 Nov 23

Untrusted search path vulnerability in python-paste-script (aka paster) in Luci 0.26.0, when started using the initscrip

Share

EUVD-2026-43235 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy