CVE-2026-61876 PUBLISHED

LuCI DHCPv6 Lease Hostname Stored Cross-Site Scripting

Assigner: VulnCheck
Reserved: 10.07.2026 Published: 12.07.2026 Updated: 12.07.2026

LuCI versions fail to properly encode DHCPv6 lease hostnames before rendering in status tables, allowing adjacent network attackers to inject HTML markup. Attackers can send a DHCPv6 Client FQDN containing script tags that execute in the administrator's browser when viewing DHCP lease pages.

Metrics

CVSS Vector: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
CVSS Score: 9.4

Product Status

Vendor openwrt
Product luci
Versions Default: affected

Credits

  • lujiefsi reporter

References

Problem Types

  • Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE