Stored Cross-Site Scripting in luci-app-upnp by OpenWrt
CVE-2026-61875

8.7HIGH

Key Information:

Vendor

Openwrt

Status
Vendor
CVE Published:
12 July 2026

What is CVE-2026-61875?

The luci-app-upnp product from OpenWrt is susceptible to a stored cross-site scripting vulnerability. This flaw allows unauthenticated local network clients to inject malicious JavaScript through UPnP IGD AddPortMapping SOAP requests. Specifically, the vulnerability lies in the NewPortMappingDescription field, which can be exploited by sending crafted HTML code. When this malicious content is stored by miniupnpd and subsequently rendered by luci-app-upnp without proper output encoding, it executes the injected payload when an administrator accesses the UPnP or Status pages, potentially leading to unauthorized actions on the interface.

References

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

lujiefsi
.