CVE-2026-61876
OpenWrt · LuCI
A stored cross-site scripting (XSS) vulnerability in OpenWrt LuCI allows adjacent network attackers to inject malicious HTML via DHCPv6 lease hostnames.
Executive summary
A stored XSS vulnerability in OpenWrt's LuCI interface allows an adjacent network attacker to execute arbitrary scripts in an administrator's browser via crafted DHCPv6 hostnames.
Vulnerability
This is a stored XSS vulnerability (CWE-79) caused by improper encoding of DHCPv6 lease hostnames. An attacker on the adjacent network can provide a crafted FQDN containing malicious tags that execute when an administrator views the status tables.
Business impact
The CVSS score of 8.8 underscores the severity of this issue, as it permits lateral movement and administrative compromise. Successful exploitation could lead to session hijacking, theft of administrative credentials, or further malicious configuration changes, potentially impacting the entire network managed by the device.
Remediation
Immediate Action: Consult the vendor advisory at https://github.com/openwrt/luci/security/advisories/GHSA-686p-p8p9-x6fh to identify the appropriate patch version and update the firmware or LuCI package immediately.
Proactive Monitoring: Audit DHCP lease tables for unusual or non-standard characters in hostnames and monitor web interface access logs.
Compensating Controls: Implement network segmentation to limit the reach of adjacent network attackers and use a WAF to inspect traffic directed at the management interface if possible.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
This vulnerability requires urgent attention due to its potential to compromise administrative sessions from the adjacent network. Administrators should prioritize applying the provided vendor patches to neutralize this XSS vector and secure the management interface.