Improper HTML Encoding in LuCI by OpenWrt Leads to Cross-Site Scripting Vulnerability
CVE-2026-61876

9.4CRITICAL

Key Information:

Vendor

Openwrt

Status
Vendor
CVE Published:
12 July 2026

What is CVE-2026-61876?

The LuCI interface for OpenWrt is susceptible to a Cross-Site Scripting (XSS) vulnerability due to improper HTML encoding of DHCPv6 lease hostnames. This flaw enables adjacent network attackers to inject malicious HTML markup into the status tables displayed in the LuCI interface. Specifically, attackers can exploit the weakness by sending DHCPv6 Client FQDNs that contain script tags, which will be executed in the browser of an administrator viewing the DHCP lease pages. This vulnerability poses significant security risks, as it could potentially allow attackers to execute arbitrary code within the context of the administrator’s session.

References

CVSS V4

Score:
9.4
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

lujiefsi
.