CVE-2026-61876

OpenWrt · LuCI

A stored cross-site scripting (XSS) vulnerability in OpenWrt LuCI allows adjacent network attackers to inject malicious HTML via DHCPv6 lease hostnames.

Executive summary

A stored XSS vulnerability in OpenWrt's LuCI interface allows an adjacent network attacker to execute arbitrary scripts in an administrator's browser via crafted DHCPv6 hostnames.

Vulnerability

This is a stored XSS vulnerability (CWE-79) caused by improper encoding of DHCPv6 lease hostnames. An attacker on the adjacent network can provide a crafted FQDN containing malicious tags that execute when an administrator views the status tables.

Business impact

The CVSS score of 8.8 underscores the severity of this issue, as it permits lateral movement and administrative compromise. Successful exploitation could lead to session hijacking, theft of administrative credentials, or further malicious configuration changes, potentially impacting the entire network managed by the device.

Remediation

Immediate Action: Consult the vendor advisory at https://github.com/openwrt/luci/security/advisories/GHSA-686p-p8p9-x6fh to identify the appropriate patch version and update the firmware or LuCI package immediately.

Proactive Monitoring: Audit DHCP lease tables for unusual or non-standard characters in hostnames and monitor web interface access logs.

Compensating Controls: Implement network segmentation to limit the reach of adjacent network attackers and use a WAF to inspect traffic directed at the management interface if possible.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

This vulnerability requires urgent attention due to its potential to compromise administrative sessions from the adjacent network. Administrators should prioritize applying the provided vendor patches to neutralize this XSS vector and secure the management interface.