CVE-2026-61875
OpenWrt · LuCI
A stored cross-site scripting (XSS) vulnerability in the OpenWrt LuCI luci-app-upnp component allows unauthenticated LAN clients to inject malicious JavaScript via UPnP SOAP requests.
Executive summary
An unauthenticated stored XSS vulnerability in OpenWrt's LuCI interface allows local attackers to execute arbitrary JavaScript in the context of an administrator's browser session.
Vulnerability
This is a stored XSS flaw (CWE-79) residing in the luci-app-upnp component. Unauthenticated LAN-based attackers can inject malicious scripts via the NewPortMappingDescription field in UPnP IGD AddPortMapping SOAP requests, which then execute when an administrator views the UPnP or Status pages.
Business impact
The vulnerability carries a CVSS score of 8.8, reflecting its potential for high impact on data integrity and confidentiality. Successful exploitation allows an attacker to perform actions on behalf of an administrator, potentially leading to unauthorized configuration changes, credential theft, or further compromise of the network infrastructure.
Remediation
Immediate Action: Consult the official OpenWrt security advisory at https://github.com/openwrt/luci/security/advisories/GHSA-8v49-6387-7f89 to identify patched releases and apply updates immediately.
Proactive Monitoring: Review access logs for suspicious SOAP requests or unusual entries in the UPnP mapping descriptions.
Compensating Controls: If patching is delayed, restrict access to the LuCI administrative interface and, where possible, disable the UPnP service if it is not required for network operations.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Given the high severity and the ability for unauthenticated local users to trigger this attack, immediate attention is required. Administrators should prioritize verifying their software versions against the vendor’s guidance and applying the relevant security patches to eliminate this stored XSS vector.