Improper HTML Encoding in LuCI by OpenWrt Leads to Cross-Site Scripting Vulnerability
CVE-2026-61876
9.4CRITICAL
What is CVE-2026-61876?
The LuCI interface for OpenWrt is susceptible to a Cross-Site Scripting (XSS) vulnerability due to improper HTML encoding of DHCPv6 lease hostnames. This flaw enables adjacent network attackers to inject malicious HTML markup into the status tables displayed in the LuCI interface. Specifically, attackers can exploit the weakness by sending DHCPv6 Client FQDNs that contain script tags, which will be executed in the browser of an administrator viewing the DHCP lease pages. This vulnerability poses significant security risks, as it could potentially allow attackers to execute arbitrary code within the context of the administrator’s session.
