CVE-2026-32721

Medienbericht

EPSS 0.01%
Veröffentlicht 19.03.2026 22:46:43
Zuletzt bearbeitet 20.03.2026 13:37:50
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

LuCI is the OpenWrt Configuration Interface. Versions prior to both 24.10.5 and 25.12.0, contain a stored XSS vulnerability in the wireless scan modal, where SSID values from scan results are rendered as raw HTML without any sanitization. The wireless.js file in the luci-mod-network package passes SSIDs via a template literal to dom.append(), which processes them through innerHTML, allowing an attacker to craft a malicious SSID containing arbitrary HTML/JavaScript. Exploitation requires the user to actively open the wireless scan modal (e.g., to connect to a Wi-Fi access point or survey nearby channels), and only affects OpenWrt versions newer than 23.05/22.03 up to the patched releases (24.10.6 and 25.12.1). The issue has been fixed in version LuCI 26.072.65753~068150b.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 7

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstelleropenwrt

≫

Produkt luci

Version < 26.072.65753~068150b

Status affected

Herstelleropenwrt

≫

Produkt openwrt

Version < 24.10.6

Status affected

Version >= 25.12.0, < 25.12.1

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.01%	0.005

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	8.6	1.8	6	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://www.heise.de/news/OpenWrt-Service-Releases-schliessen-kritische-Sicherheitsluecken-11219084.html

Medienbericht

heise Security

20.03.2026 12:21

https://github.com/openwrt/luci/security/advisories/GHSA-vvj6-7362-pjrw

https://github.com/openwrt/luci/commit/068150ba5f524ef6b03817b258d31ec310053fd6

https://github.com/openwrt/luci/commit/cdce600aaec66f762f18d608c74cbf3abcafe1c7

https://nvd.nist.gov/vuln/detail/CVE-2026-32721

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-32721

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-32721

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-32721