CVE-2026-61876
HIGH
8.8
CVSS 3.1
Description
LuCI versions fail to properly encode DHCPv6 lease hostnames before rendering in status tables, allowing adjacent network attackers to inject HTML markup. Attackers can send a DHCPv6 Client FQDN containing script tags that execute in the administrator's browser when viewing DHCP lease pages.
Metadata
Severity & Metrics
8.8
HIGH CVSS 3.1
CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected products (1)
| Vendor | Product | Platform | Versions |
|---|---|---|---|
| openwrt | luci | — | — |
Weakness (CWE)
| CWE | Source | Description |
|---|---|---|
| CWE-79 | cna | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
CVSS scores (2)
| Score | Severity | Version | Source | Vector |
|---|---|---|---|---|
| 9.4 | CRITICAL | 4.0 | cna | CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H |
| 8.8 | HIGH | 3.1 | cna | CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H |
References (2)
- GitHub Security Advisory (GHSA-686p-p8p9-x6fh) https://github.com/openwrt/luci/security/advisories/GHSA-686p-p8p9-x6fh
- VulnCheck Advisory: LuCI DHCPv6 Lease Hostname Stored Cross-Site Scripting https://www.vulncheck.com/advisories/luci-dhcpv6-lease-hostname-stored-cross-site-scripting