Back to overview

CVE-2026-62184

HIGH
7.5
CVSS 3.1
Description
luci-app-banip contains a log parsing vulnerability where the awk-based parser extracts the first IPv4 address from log lines regardless of field position, allowing attackers to inject arbitrary IPs via attacker-controlled fields like usernames. An unauthenticated remote attacker can inject an IP address into the login username field, causing banIP to block the wrong target while the real attacker remains unblocked.

Metadata

CVE ID
CVE-2026-62184
State
PUBLISHED
Assigner
VulnCheck
Reserved
2026-07-13 16:36 UTC
Published
2026-07-13 21:30 UTC
Last updated
2026-07-13 21:30 UTC
Primary CWE
CWE-116
Improper Encoding or Escaping of Output
Vendor / Product
openwrt / luci
Sources
cve.org  ·  NVD

Severity & Metrics

7.5 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected products (1)
VendorProductPlatformVersions
openwrt luci 0 ≤ 0.11.1, d9bbc372e29618a8807b693a1ccf6d0e42cd196c
Weakness (CWE)
CWESourceDescription
CWE-116 cna Improper Encoding or Escaping of Output
CVSS scores (2)
ScoreSeverityVersionSourceVector
8.7 HIGH 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
7.5 HIGH 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Back to overview