Stored Cross-Site Scripting in luci-app-upnp by OpenWrt
CVE-2026-61875
8.7HIGH
What is CVE-2026-61875?
The luci-app-upnp product from OpenWrt is susceptible to a stored cross-site scripting vulnerability. This flaw allows unauthenticated local network clients to inject malicious JavaScript through UPnP IGD AddPortMapping SOAP requests. Specifically, the vulnerability lies in the NewPortMappingDescription field, which can be exploited by sending crafted HTML code. When this malicious content is stored by miniupnpd and subsequently rendered by luci-app-upnp without proper output encoding, it executes the injected payload when an administrator accesses the UPnP or Status pages, potentially leading to unauthorized actions on the interface.
