Luci App Https Dns Proxy
Monthly
Authenticated command injection in luci-app-https-dns-proxy through version 2025.12.29-5 allows a low-privileged LuCI user holding the luci.https-dns-proxy ACL permission to execute arbitrary commands as root on OpenWrt devices via shell metacharacters in the 'name' parameter of a ubus RPC call to setInitAction. Publicly available exploit code exists (Exploit-DB 52521, VulnCheck advisory), though EPSS remains low at 0.06% and the package is an optional community add-on not installed by default. Core OpenWrt installations are unaffected; only systems that explicitly opted into this LuCI add-on are at risk.
Authenticated command injection in luci-app-https-dns-proxy through version 2025.12.29-5 allows a low-privileged LuCI user holding the luci.https-dns-proxy ACL permission to execute arbitrary commands as root on OpenWrt devices via shell metacharacters in the 'name' parameter of a ubus RPC call to setInitAction. Publicly available exploit code exists (Exploit-DB 52521, VulnCheck advisory), though EPSS remains low at 0.06% and the package is an optional community add-on not installed by default. Core OpenWrt installations are unaffected; only systems that explicitly opted into this LuCI add-on are at risk.