Skip to main content

Luci

16 CVEs product

Monthly

CVE-2026-62184 HIGH PATCH This Week

Ban-list poisoning in OpenWrt's luci-app-banip (banIP) before 1.8.10 lets an unauthenticated remote attacker steer the automated IP-blocking engine at an arbitrary victim. Because the awk-based log monitor grabs the first IPv4 address it finds on a log line regardless of field position, an attacker can embed a spoofed IP inside an attacker-controlled field such as a login username; banIP then bans that injected address while the real attacker's source IP is never blocked. Reported by VulnCheck with a vendor patch available; no public exploit code or active exploitation is identified at time of analysis.

Code Injection Luci
NVD GitHub
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-61876 CRITICAL Act Now

Stored cross-site scripting in OpenWrt's LuCI web interface lets an adjacent-network attacker inject executable HTML/JavaScript by supplying a malicious DHCPv6 Client FQDN hostname, which the DHCP lease status tables render without proper output encoding. When an administrator views the DHCP lease page, the payload executes in their authenticated browser session, enabling router admin-panel compromise. Rated CVSS 4.0 9.4 (Critical) by the vendor; no public exploit identified at time of analysis and it is not listed in CISA KEV.

XSS Luci
NVD GitHub VulDB
CVSS 4.0
9.4
EPSS
0.2%
CVE-2026-61875 HIGH This Week

Stored cross-site scripting in OpenWrt's luci-app-upnp lets an unauthenticated LAN client persist a JavaScript payload that executes in the router administrator's browser. By supplying malicious HTML in the NewPortMappingDescription field of a UPnP IGD AddPortMapping SOAP request, an attacker gets miniupnpd to store the value and luci-app-upnp to render it unencoded on the UPnP and Status pages. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the CVSS 4.0 base score is 8.7 (High).

XSS Luci
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-59260 HIGH This Week

Privilege escalation to root in OpenWrt's luci-app-samba4 (LuCI web interface) lets authenticated delegated users invoke the root-owned Samba daemon with attacker-controlled arguments. The package's 'read' ACL improperly grants file.exec permission on /usr/sbin/smbd, so a low-privileged operator can launch smbd with global options like 'message command' and achieve arbitrary command execution as root when SMB messages are processed. Reported by VulnCheck with a GHSA advisory published; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Privilege Escalation Luci
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.7%
CVE-2026-58000 HIGH PATCH This Week

Root command injection in OpenWrt's LuCI web interface (luci-proto-openvpn through 0.11.1) lets an authenticated user with OpenVPN protocol configuration access run arbitrary commands as root. The flaw lives in the generateKey ubus method, where the cl_meta parameter is passed unescaped into a popen() shell call. No public exploit has been identified at time of analysis, but a vendor advisory (GHSA-pm9w-522m-8rrh) and fix commit exist, and the CVSS 4.0 score of 8.7 reflects full confidentiality, integrity, and availability impact on the affected device.

Command Injection Luci
NVD GitHub
CVSS 4.0
8.7
EPSS
1.4%
CVE-2026-57999 HIGH This Week

Authenticated root command injection in the OpenWrt LuCI community Tailscale app (luci-app-tailscale-community) lets a logged-in web UI user run arbitrary OS commands as root through the tailscale.do_login RPC method. Because the user-supplied loginserver and loginserver_authkey values are placed inside a double-quoted shell string, $() and backtick substitutions are evaluated by the outer shell, turning configuration input into command execution. Reported by VulnCheck with a published GHSA advisory; no public exploit identified at time of analysis and the issue is not in CISA KEV.

Command Injection Luci
NVD GitHub
CVSS 4.0
7.7
EPSS
1.2%
CVE-2026-32721 HIGH This Week

A stored cross-site scripting (XSS) vulnerability exists in the OpenWrt LuCI web interface where malicious JavaScript code embedded in Wi-Fi network names (SSIDs) can execute when users open the wireless scan modal. The vulnerability affects OpenWrt versions newer than 23.05/22.03 up to 24.10.5 and 25.12.0, allowing attackers within wireless range to compromise users who scan for available networks. No active exploitation has been reported (not in KEV), and with an EPSS score not provided, the real-world exploitation risk appears limited despite the high CVSS score of 8.6.

XSS Luci Openwrt
NVD GitHub VulDB
CVSS 3.1
8.6
EPSS
0.0%
CVE-2023-3085 MEDIUM PATCH This Month

A vulnerability, which was classified as problematic, has been found in X-WRT luci up to 22.10_b202303061504.uc of the component 404 Error Template Handler. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Luci
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.5%
CVE-2023-24181 MEDIUM POC PATCH This Month

LuCI openwrt-22.03 branch git-22.361.69894-438c598 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /openvpn/pageswitch.htm. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Luci
NVD GitHub
CVSS 3.1
5.4
EPSS
0.6%
CVE-2022-41435 MEDIUM POC PATCH This Month

OpenWRT LuCI version git-22.140.66206-02913be was discovered to contain a stored cross-site scripting (XSS) vulnerability in the component /system/sshkeys.js. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Luci
NVD GitHub
CVSS 3.1
5.4
EPSS
0.5%
CVE-2021-27821 MEDIUM This Month

The Web Interface for OpenWRT LuCI version 19.07 and lower has been discovered to have a cross-site scripting vulnerability which can lead to attackers carrying out arbitrary code execution. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE XSS Luci
NVD VulDB
CVSS 3.1
6.1
EPSS
0.8%
CVE-2020-10871 MEDIUM POC PATCH This Month

In OpenWrt LuCI git-20.x, remote unauthenticated attackers can retrieve the list of installed packages and services. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Luci
NVD GitHub
CVSS 3.1
5.3
EPSS
1.7%
CVE-2019-12272 CRITICAL PATCH Act Now

In OpenWrt LuCI through 0.10, the endpoints admin/status/realtime/bandwidth_status and admin/status/realtime/wireless_status of the web application are affected by a command injection vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.

Command Injection Luci
NVD GitHub
CVSS 3.0
9.8
EPSS
7.4%
CVE-2014-3593 MEDIUM This Month

Eval injection vulnerability in luci 0.26.0 allows remote authenticated users with certain permissions to execute arbitrary Python code via a crafted cluster configuration. Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable. No vendor patch available.

RCE Python Code Injection Luci
NVD
CVSS 2.0
6.0
EPSS
0.3%
CVE-2013-4482 MEDIUM This Month

Untrusted search path vulnerability in python-paste-script (aka paster) in Luci 0.26.0, when started using the initscript, allows local users to gain privileges via a Trojan horse .egg-info file in. Rated medium severity (CVSS 6.2). No vendor patch available.

Python Information Disclosure Luci Enterprise Linux
NVD
CVSS 2.0
6.2
EPSS
0.1%
CVE-2013-4481 LOW Monitor

Race condition in Luci 0.26.0 creates /var/lib/luci/etc/luci.ini with world-readable permissions before restricting the permissions, which allows local users to read the file and obtain sensitive. Rated low severity (CVSS 1.9). No vendor patch available.

Information Disclosure Race Condition Luci Enterprise Linux
NVD
CVSS 2.0
1.9
EPSS
0.0%
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Ban-list poisoning in OpenWrt's luci-app-banip (banIP) before 1.8.10 lets an unauthenticated remote attacker steer the automated IP-blocking engine at an arbitrary victim. Because the awk-based log monitor grabs the first IPv4 address it finds on a log line regardless of field position, an attacker can embed a spoofed IP inside an attacker-controlled field such as a login username; banIP then bans that injected address while the real attacker's source IP is never blocked. Reported by VulnCheck with a vendor patch available; no public exploit code or active exploitation is identified at time of analysis.

Code Injection Luci
NVD GitHub
EPSS 0% CVSS 9.4
CRITICAL Act Now

Stored cross-site scripting in OpenWrt's LuCI web interface lets an adjacent-network attacker inject executable HTML/JavaScript by supplying a malicious DHCPv6 Client FQDN hostname, which the DHCP lease status tables render without proper output encoding. When an administrator views the DHCP lease page, the payload executes in their authenticated browser session, enabling router admin-panel compromise. Rated CVSS 4.0 9.4 (Critical) by the vendor; no public exploit identified at time of analysis and it is not listed in CISA KEV.

XSS Luci
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH This Week

Stored cross-site scripting in OpenWrt's luci-app-upnp lets an unauthenticated LAN client persist a JavaScript payload that executes in the router administrator's browser. By supplying malicious HTML in the NewPortMappingDescription field of a UPnP IGD AddPortMapping SOAP request, an attacker gets miniupnpd to store the value and luci-app-upnp to render it unencoded on the UPnP and Status pages. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the CVSS 4.0 base score is 8.7 (High).

XSS Luci
NVD GitHub VulDB
EPSS 1% CVSS 8.7
HIGH This Week

Privilege escalation to root in OpenWrt's luci-app-samba4 (LuCI web interface) lets authenticated delegated users invoke the root-owned Samba daemon with attacker-controlled arguments. The package's 'read' ACL improperly grants file.exec permission on /usr/sbin/smbd, so a low-privileged operator can launch smbd with global options like 'message command' and achieve arbitrary command execution as root when SMB messages are processed. Reported by VulnCheck with a GHSA advisory published; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Privilege Escalation Luci
NVD GitHub VulDB
EPSS 1% CVSS 8.7
HIGH PATCH This Week

Root command injection in OpenWrt's LuCI web interface (luci-proto-openvpn through 0.11.1) lets an authenticated user with OpenVPN protocol configuration access run arbitrary commands as root. The flaw lives in the generateKey ubus method, where the cl_meta parameter is passed unescaped into a popen() shell call. No public exploit has been identified at time of analysis, but a vendor advisory (GHSA-pm9w-522m-8rrh) and fix commit exist, and the CVSS 4.0 score of 8.7 reflects full confidentiality, integrity, and availability impact on the affected device.

Command Injection Luci
NVD GitHub
EPSS 1% CVSS 7.7
HIGH This Week

Authenticated root command injection in the OpenWrt LuCI community Tailscale app (luci-app-tailscale-community) lets a logged-in web UI user run arbitrary OS commands as root through the tailscale.do_login RPC method. Because the user-supplied loginserver and loginserver_authkey values are placed inside a double-quoted shell string, $() and backtick substitutions are evaluated by the outer shell, turning configuration input into command execution. Reported by VulnCheck with a published GHSA advisory; no public exploit identified at time of analysis and the issue is not in CISA KEV.

Command Injection Luci
NVD GitHub
EPSS 0% CVSS 8.6
HIGH This Week

A stored cross-site scripting (XSS) vulnerability exists in the OpenWrt LuCI web interface where malicious JavaScript code embedded in Wi-Fi network names (SSIDs) can execute when users open the wireless scan modal. The vulnerability affects OpenWrt versions newer than 23.05/22.03 up to 24.10.5 and 25.12.0, allowing attackers within wireless range to compromise users who scan for available networks. No active exploitation has been reported (not in KEV), and with an EPSS score not provided, the real-world exploitation risk appears limited despite the high CVSS score of 8.6.

XSS Luci Openwrt
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

A vulnerability, which was classified as problematic, has been found in X-WRT luci up to 22.10_b202303061504.uc of the component 404 Error Template Handler. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Luci
NVD GitHub VulDB
EPSS 1% CVSS 5.4
MEDIUM POC PATCH This Month

LuCI openwrt-22.03 branch git-22.361.69894-438c598 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /openvpn/pageswitch.htm. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Luci
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM POC PATCH This Month

OpenWRT LuCI version git-22.140.66206-02913be was discovered to contain a stored cross-site scripting (XSS) vulnerability in the component /system/sshkeys.js. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Luci
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM This Month

The Web Interface for OpenWRT LuCI version 19.07 and lower has been discovered to have a cross-site scripting vulnerability which can lead to attackers carrying out arbitrary code execution. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE XSS Luci
NVD VulDB
EPSS 2% CVSS 5.3
MEDIUM POC PATCH This Month

In OpenWrt LuCI git-20.x, remote unauthenticated attackers can retrieve the list of installed packages and services. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Luci
NVD GitHub
EPSS 7% CVSS 9.8
CRITICAL PATCH Act Now

In OpenWrt LuCI through 0.10, the endpoints admin/status/realtime/bandwidth_status and admin/status/realtime/wireless_status of the web application are affected by a command injection vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.

Command Injection Luci
NVD GitHub
EPSS 0% CVSS 6.0
MEDIUM This Month

Eval injection vulnerability in luci 0.26.0 allows remote authenticated users with certain permissions to execute arbitrary Python code via a crafted cluster configuration. Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable. No vendor patch available.

RCE Python Code Injection +1
NVD
EPSS 0% CVSS 6.2
MEDIUM This Month

Untrusted search path vulnerability in python-paste-script (aka paster) in Luci 0.26.0, when started using the initscript, allows local users to gain privileges via a Trojan horse .egg-info file in. Rated medium severity (CVSS 6.2). No vendor patch available.

Python Information Disclosure Luci +1
NVD
EPSS 0% CVSS 1.9
LOW Monitor

Race condition in Luci 0.26.0 creates /var/lib/luci/etc/luci.ini with world-readable permissions before restricting the permissions, which allows local users to read the file and obtain sensitive. Rated low severity (CVSS 1.9). No vendor patch available.

Information Disclosure Race Condition Luci +1
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy