Description
LuCI versions fail to properly encode DHCPv6 lease hostnames before rendering in status tables, allowing adjacent network attackers to inject HTML markup. Attackers can send a DHCPv6 Client FQDN containing script tags that execute in the administrator's browser when viewing DHCP lease pages.
No analysis available yet.
Remediation
No remediation available yet.
Tracking
Sign in to view the affected projects.
Advisories
No advisories yet.
References
History
Sun, 12 Jul 2026 13:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Openwrt
Openwrt luci |
|
| Vendors & Products |
Openwrt
Openwrt luci |
Sun, 12 Jul 2026 12:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | LuCI versions fail to properly encode DHCPv6 lease hostnames before rendering in status tables, allowing adjacent network attackers to inject HTML markup. Attackers can send a DHCPv6 Client FQDN containing script tags that execute in the administrator's browser when viewing DHCP lease pages. | |
| Title | LuCI DHCPv6 Lease Hostname Stored Cross-Site Scripting | |
| Weaknesses | CWE-79 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-07-12T12:07:55.788Z
Reserved: 2026-07-10T21:54:26.760Z
Link: CVE-2026-61876
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-12T13:30:03Z
Weaknesses
-
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')