CVE-2026-62948

openwrt · openwrt

A vulnerability in the OpenWrt DHCPv6 client allows for Cross-site Scripting (XSS) via injected lease hostnames displayed in the web administrative interface.

Executive summary

OpenWrt is vulnerable to a Stored Cross-site Scripting (XSS) attack that allows an attacker to execute malicious scripts in the context of an administrator's browser session.

Vulnerability

The vulnerability stems from improper neutralization of DHCPv6 client FQDN options, which are written to system files and subsequently rendered as live HTML in the LuCI administrative interface, allowing unauthenticated attackers to inject malicious scripts.

Business impact

An attacker can leverage this vulnerability to gain unauthorized access to administrative sessions. With a CVSS score of 9.6, the potential for account takeover and subsequent configuration changes to network devices poses a significant risk to organizational network integrity and security.

Remediation

Immediate Action: Upgrade to OpenWrt version 25.12.5 or later to ensure proper sanitization of DHCP lease inputs.

Proactive Monitoring: Review the Active DHCPv6 Leases page for suspicious entries that contain script tags or unexpected special characters.

Compensating Controls: Restrict access to the LuCI administrative interface to trusted management networks only to minimize exposure.

Exploitation status

Public Exploit Available: No.

Analyst recommendation

This critical XSS vulnerability provides a path for administrative compromise. Due to the existence of a proof-of-concept and the high severity of the flaw, organizations should expedite the update to version 25.12.5 across all managed OpenWrt devices.