Description
LuCI is the OpenWrt Configuration Interface. Versions prior to both 24.10.5 and 25.12.0, contain a stored XSS vulnerability in the wireless scan modal, where SSID values from scan results are rendered as raw HTML without any sanitization. The wireless.js file in the luci-mod-network package passes SSIDs via a template literal to dom.append(), which processes them through innerHTML, allowing an attacker to craft a malicious SSID containing arbitrary HTML/JavaScript. Exploitation requires the user to actively open the wireless scan modal (e.g., to connect to a Wi-Fi access point or survey nearby channels), and only affects OpenWrt versions newer than 23.05/22.03 up to the patched releases (24.10.6 and 25.12.1). The issue has been fixed in version LuCI 26.072.65753~068150b.
Published: 2026-03-19
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting that allows an attacker to inject and execute arbitrary script within the user’s LuCI interface when a WiFi scan modal is opened.
Action: Apply Patch
AI Analysis

Impact

A stored XSS flaw exists in the LuCI wireless scan modal. SSIDs returned from a scan are inserted into the page via a template literal that feeds raw text into innerHTML without sanitization. An attacker can broadcast a rogue access point with a malicious SSID that contains arbitrary HTML or JavaScript, which will be rendered when a user opens the scan modal and the page processes the SSID. This can lead to session hijacking, credential theft, or arbitrary code execution with the privileges of the logged‑in user.

Affected Systems

The vulnerability affects OpenWrt LuCI installations that use the luci-mod-network package and run LuCI versions earlier than 24.10.5 or 25.12.0. It applies to OpenWrt releases newer than 23.05/22.03 up to the patched releases 24.10.6, 25.12.1, and subsequently to any newer builds that include the LuCI 26.072.65753~068150b update. Devices running these openwrt releases are therefore impacted unless updated.

Risk and Exploitability

The CVSS score is 8.6, categorising the issue as high severity. Exploitation requires human interaction: the victim must open the wireless scan modal while connected to or within range of an access point broadcasting a malicious SSID. The EPSS probability is below 1 %, indicating a low likelihood of immediate widespread use. The flaw is not currently listed in the CISA KEV catalog. Attackers would need to control SSID broadcasting and motivate the user to open the scan modal, making exploitation more complex but still feasible in targeted scenarios.

Generated by OpenCVE AI on April 14, 2026 at 21:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest LuCI version, at least 24.10.6, 25.12.1, or newer revision 26.072.65753~068150b, which removes the vulnerable code.
  • Confirm that the luci-mod-network package has been replaced and no older versions remain installed.

Generated by OpenCVE AI on April 14, 2026 at 21:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:openwrt:luci:*:*:*:*:*:*:*:*
cpe:2.3:o:openwrt:openwrt:*:*:*:*:*:*:*:*

Fri, 20 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Openwrt
Openwrt luci
Openwrt openwrt
Vendors & Products Openwrt
Openwrt luci
Openwrt openwrt

Fri, 20 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 19 Mar 2026 23:00:00 +0000

Type Values Removed Values Added
Description LuCI is the OpenWrt Configuration Interface. Versions prior to both 24.10.5 and 25.12.0, contain a stored XSS vulnerability in the wireless scan modal, where SSID values from scan results are rendered as raw HTML without any sanitization. The wireless.js file in the luci-mod-network package passes SSIDs via a template literal to dom.append(), which processes them through innerHTML, allowing an attacker to craft a malicious SSID containing arbitrary HTML/JavaScript. Exploitation requires the user to actively open the wireless scan modal (e.g., to connect to a Wi-Fi access point or survey nearby channels), and only affects OpenWrt versions newer than 23.05/22.03 up to the patched releases (24.10.6 and 25.12.1). The issue has been fixed in version LuCI 26.072.65753~068150b.
Title LuCI luci-mod-network: Possible XSS attack in WiFi scan on Joining Wireless Client modal
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

Openwrt Luci Openwrt
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-25T03:56:15.781Z

Reserved: 2026-03-13T15:02:00.625Z

Link: CVE-2026-32721

cve-icon Vulnrichment

Updated: 2026-03-20T17:33:46.277Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T23:16:44.030

Modified: 2026-04-14T17:49:24.540

Link: CVE-2026-32721

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-19T22:46:43Z

Links: CVE-2026-32721 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T16:45:09Z

Weaknesses