Luci
Monthly
Ban-list poisoning in OpenWrt's luci-app-banip (banIP) before 1.8.10 lets an unauthenticated remote attacker steer the automated IP-blocking engine at an arbitrary victim. Because the awk-based log monitor grabs the first IPv4 address it finds on a log line regardless of field position, an attacker can embed a spoofed IP inside an attacker-controlled field such as a login username; banIP then bans that injected address while the real attacker's source IP is never blocked. Reported by VulnCheck with a vendor patch available; no public exploit code or active exploitation is identified at time of analysis.
Stored cross-site scripting in OpenWrt's LuCI web interface lets an adjacent-network attacker inject executable HTML/JavaScript by supplying a malicious DHCPv6 Client FQDN hostname, which the DHCP lease status tables render without proper output encoding. When an administrator views the DHCP lease page, the payload executes in their authenticated browser session, enabling router admin-panel compromise. Rated CVSS 4.0 9.4 (Critical) by the vendor; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Stored cross-site scripting in OpenWrt's luci-app-upnp lets an unauthenticated LAN client persist a JavaScript payload that executes in the router administrator's browser. By supplying malicious HTML in the NewPortMappingDescription field of a UPnP IGD AddPortMapping SOAP request, an attacker gets miniupnpd to store the value and luci-app-upnp to render it unencoded on the UPnP and Status pages. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the CVSS 4.0 base score is 8.7 (High).
Privilege escalation to root in OpenWrt's luci-app-samba4 (LuCI web interface) lets authenticated delegated users invoke the root-owned Samba daemon with attacker-controlled arguments. The package's 'read' ACL improperly grants file.exec permission on /usr/sbin/smbd, so a low-privileged operator can launch smbd with global options like 'message command' and achieve arbitrary command execution as root when SMB messages are processed. Reported by VulnCheck with a GHSA advisory published; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Root command injection in OpenWrt's LuCI web interface (luci-proto-openvpn through 0.11.1) lets an authenticated user with OpenVPN protocol configuration access run arbitrary commands as root. The flaw lives in the generateKey ubus method, where the cl_meta parameter is passed unescaped into a popen() shell call. No public exploit has been identified at time of analysis, but a vendor advisory (GHSA-pm9w-522m-8rrh) and fix commit exist, and the CVSS 4.0 score of 8.7 reflects full confidentiality, integrity, and availability impact on the affected device.
Authenticated root command injection in the OpenWrt LuCI community Tailscale app (luci-app-tailscale-community) lets a logged-in web UI user run arbitrary OS commands as root through the tailscale.do_login RPC method. Because the user-supplied loginserver and loginserver_authkey values are placed inside a double-quoted shell string, $() and backtick substitutions are evaluated by the outer shell, turning configuration input into command execution. Reported by VulnCheck with a published GHSA advisory; no public exploit identified at time of analysis and the issue is not in CISA KEV.
A stored cross-site scripting (XSS) vulnerability exists in the OpenWrt LuCI web interface where malicious JavaScript code embedded in Wi-Fi network names (SSIDs) can execute when users open the wireless scan modal. The vulnerability affects OpenWrt versions newer than 23.05/22.03 up to 24.10.5 and 25.12.0, allowing attackers within wireless range to compromise users who scan for available networks. No active exploitation has been reported (not in KEV), and with an EPSS score not provided, the real-world exploitation risk appears limited despite the high CVSS score of 8.6.
A vulnerability, which was classified as problematic, has been found in X-WRT luci up to 22.10_b202303061504.uc of the component 404 Error Template Handler. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
LuCI openwrt-22.03 branch git-22.361.69894-438c598 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /openvpn/pageswitch.htm. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
OpenWRT LuCI version git-22.140.66206-02913be was discovered to contain a stored cross-site scripting (XSS) vulnerability in the component /system/sshkeys.js. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
The Web Interface for OpenWRT LuCI version 19.07 and lower has been discovered to have a cross-site scripting vulnerability which can lead to attackers carrying out arbitrary code execution. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In OpenWrt LuCI git-20.x, remote unauthenticated attackers can retrieve the list of installed packages and services. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
In OpenWrt LuCI through 0.10, the endpoints admin/status/realtime/bandwidth_status and admin/status/realtime/wireless_status of the web application are affected by a command injection vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.
Eval injection vulnerability in luci 0.26.0 allows remote authenticated users with certain permissions to execute arbitrary Python code via a crafted cluster configuration. Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable. No vendor patch available.
Untrusted search path vulnerability in python-paste-script (aka paster) in Luci 0.26.0, when started using the initscript, allows local users to gain privileges via a Trojan horse .egg-info file in. Rated medium severity (CVSS 6.2). No vendor patch available.
Race condition in Luci 0.26.0 creates /var/lib/luci/etc/luci.ini with world-readable permissions before restricting the permissions, which allows local users to read the file and obtain sensitive. Rated low severity (CVSS 1.9). No vendor patch available.
Ban-list poisoning in OpenWrt's luci-app-banip (banIP) before 1.8.10 lets an unauthenticated remote attacker steer the automated IP-blocking engine at an arbitrary victim. Because the awk-based log monitor grabs the first IPv4 address it finds on a log line regardless of field position, an attacker can embed a spoofed IP inside an attacker-controlled field such as a login username; banIP then bans that injected address while the real attacker's source IP is never blocked. Reported by VulnCheck with a vendor patch available; no public exploit code or active exploitation is identified at time of analysis.
Stored cross-site scripting in OpenWrt's LuCI web interface lets an adjacent-network attacker inject executable HTML/JavaScript by supplying a malicious DHCPv6 Client FQDN hostname, which the DHCP lease status tables render without proper output encoding. When an administrator views the DHCP lease page, the payload executes in their authenticated browser session, enabling router admin-panel compromise. Rated CVSS 4.0 9.4 (Critical) by the vendor; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Stored cross-site scripting in OpenWrt's luci-app-upnp lets an unauthenticated LAN client persist a JavaScript payload that executes in the router administrator's browser. By supplying malicious HTML in the NewPortMappingDescription field of a UPnP IGD AddPortMapping SOAP request, an attacker gets miniupnpd to store the value and luci-app-upnp to render it unencoded on the UPnP and Status pages. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the CVSS 4.0 base score is 8.7 (High).
Privilege escalation to root in OpenWrt's luci-app-samba4 (LuCI web interface) lets authenticated delegated users invoke the root-owned Samba daemon with attacker-controlled arguments. The package's 'read' ACL improperly grants file.exec permission on /usr/sbin/smbd, so a low-privileged operator can launch smbd with global options like 'message command' and achieve arbitrary command execution as root when SMB messages are processed. Reported by VulnCheck with a GHSA advisory published; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Root command injection in OpenWrt's LuCI web interface (luci-proto-openvpn through 0.11.1) lets an authenticated user with OpenVPN protocol configuration access run arbitrary commands as root. The flaw lives in the generateKey ubus method, where the cl_meta parameter is passed unescaped into a popen() shell call. No public exploit has been identified at time of analysis, but a vendor advisory (GHSA-pm9w-522m-8rrh) and fix commit exist, and the CVSS 4.0 score of 8.7 reflects full confidentiality, integrity, and availability impact on the affected device.
Authenticated root command injection in the OpenWrt LuCI community Tailscale app (luci-app-tailscale-community) lets a logged-in web UI user run arbitrary OS commands as root through the tailscale.do_login RPC method. Because the user-supplied loginserver and loginserver_authkey values are placed inside a double-quoted shell string, $() and backtick substitutions are evaluated by the outer shell, turning configuration input into command execution. Reported by VulnCheck with a published GHSA advisory; no public exploit identified at time of analysis and the issue is not in CISA KEV.
A stored cross-site scripting (XSS) vulnerability exists in the OpenWrt LuCI web interface where malicious JavaScript code embedded in Wi-Fi network names (SSIDs) can execute when users open the wireless scan modal. The vulnerability affects OpenWrt versions newer than 23.05/22.03 up to 24.10.5 and 25.12.0, allowing attackers within wireless range to compromise users who scan for available networks. No active exploitation has been reported (not in KEV), and with an EPSS score not provided, the real-world exploitation risk appears limited despite the high CVSS score of 8.6.
A vulnerability, which was classified as problematic, has been found in X-WRT luci up to 22.10_b202303061504.uc of the component 404 Error Template Handler. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
LuCI openwrt-22.03 branch git-22.361.69894-438c598 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /openvpn/pageswitch.htm. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
OpenWRT LuCI version git-22.140.66206-02913be was discovered to contain a stored cross-site scripting (XSS) vulnerability in the component /system/sshkeys.js. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
The Web Interface for OpenWRT LuCI version 19.07 and lower has been discovered to have a cross-site scripting vulnerability which can lead to attackers carrying out arbitrary code execution. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In OpenWrt LuCI git-20.x, remote unauthenticated attackers can retrieve the list of installed packages and services. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
In OpenWrt LuCI through 0.10, the endpoints admin/status/realtime/bandwidth_status and admin/status/realtime/wireless_status of the web application are affected by a command injection vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.
Eval injection vulnerability in luci 0.26.0 allows remote authenticated users with certain permissions to execute arbitrary Python code via a crafted cluster configuration. Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable. No vendor patch available.
Untrusted search path vulnerability in python-paste-script (aka paster) in Luci 0.26.0, when started using the initscript, allows local users to gain privileges via a Trojan horse .egg-info file in. Rated medium severity (CVSS 6.2). No vendor patch available.
Race condition in Luci 0.26.0 creates /var/lib/luci/etc/luci.ini with world-readable permissions before restricting the permissions, which allows local users to read the file and obtain sensitive. Rated low severity (CVSS 1.9). No vendor patch available.