Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    300 vulnerabilities by openwrt

    CVE-2026-62184 (GCVE-0-2026-62184)

    Vulnerability from nvd – Published: 2026-07-13 21:30 – Updated: 2026-07-13 21:30 X_Open Source
    VLAI
    Title
    luci-app-banip Log Monitor IP Extraction Bypass
    Summary
    luci-app-banip contains a log parsing vulnerability where the awk-based parser extracts the first IPv4 address from log lines regardless of field position, allowing attackers to inject arbitrary IPs via attacker-controlled fields like usernames. An unauthenticated remote attacker can inject an IP address into the login username field, causing banIP to block the wrong target while the real attacker remains unblocked.
    CWE
    • CWE-116 - Improper Encoding or Escaping of Output
    Assigner
    Impacted products
    Vendor Product Version
    openwrt luci Affected: 0 , ≤ 0.11.1 (semver)
    Unaffected: d9bbc372e29618a8807b693a1ccf6d0e42cd196c (git)
    Create a notification for this product.
    Date Public
    2026-06-28 00:00
    Credits
    lujie (@lujiefsi)
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "luci",
              "repo": "https://github.com/openwrt/luci",
              "vendor": "openwrt",
              "versions": [
                {
                  "lessThanOrEqual": "0.11.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "d9bbc372e29618a8807b693a1ccf6d0e42cd196c",
                  "versionType": "git"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "lujie (@lujiefsi)"
            }
          ],
          "datePublic": "2026-06-28T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "luci-app-banip contains a log parsing vulnerability where the awk-based parser extracts the first IPv4 address from log lines regardless of field position, allowing attackers to inject arbitrary IPs via attacker-controlled fields like usernames. An unauthenticated remote attacker can inject an IP address into the login username field, causing banIP to block the wrong target while the real attacker remains unblocked."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-116",
                  "description": "Improper Encoding or Escaping of Output",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-13T21:30:09.248Z",
            "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
            "shortName": "VulnCheck"
          },
          "references": [
            {
              "name": "GitHub Security Advisory (GHSA-r6hx-4f83-vp8m)",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://github.com/openwrt/luci/security/advisories/GHSA-r6hx-4f83-vp8m"
            },
            {
              "name": "Patch Commit",
              "tags": [
                "patch"
              ],
              "url": "https://github.com/openwrt/luci/commit/d9bbc372e29618a8807b693a1ccf6d0e42cd196c"
            },
            {
              "name": "VulnCheck Advisory: luci-app-banip Log Monitor IP Extraction Bypass",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.vulncheck.com/advisories/luci-app-banip-log-monitor-ip-extraction-bypass"
            }
          ],
          "tags": [
            "x_open-source"
          ],
          "title": "luci-app-banip Log Monitor IP Extraction Bypass",
          "x_generator": {
            "engine": "vulncheck-endgame"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "assignerShortName": "VulnCheck",
        "cveId": "CVE-2026-62184",
        "datePublished": "2026-07-13T21:30:09.248Z",
        "dateReserved": "2026-07-13T16:36:32.094Z",
        "dateUpdated": "2026-07-13T21:30:09.248Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-61876 (GCVE-0-2026-61876)

    Vulnerability from nvd – Published: 2026-07-12 12:07 – Updated: 2026-07-12 12:07
    VLAI
    Title
    LuCI DHCPv6 Lease Hostname Stored Cross-Site Scripting
    Summary
    LuCI versions fail to properly encode DHCPv6 lease hostnames before rendering in status tables, allowing adjacent network attackers to inject HTML markup. Attackers can send a DHCPv6 Client FQDN containing script tags that execute in the administrator's browser when viewing DHCP lease pages.
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Date Public
    2026-06-27 00:00
    Credits
    lujiefsi
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "luci",
              "vendor": "openwrt"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "lujiefsi"
            }
          ],
          "datePublic": "2026-06-27T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "LuCI versions fail to properly encode DHCPv6 lease hostnames before rendering in status tables, allowing adjacent network attackers to inject HTML markup. Attackers can send a DHCPv6 Client FQDN containing script tags that execute in the administrator\u0027s browser when viewing DHCP lease pages."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "ADJACENT",
                "baseScore": 9.4,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              },
              "format": "CVSS"
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-12T12:07:55.788Z",
            "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
            "shortName": "VulnCheck"
          },
          "references": [
            {
              "name": "GitHub Security Advisory (GHSA-686p-p8p9-x6fh)",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://github.com/openwrt/luci/security/advisories/GHSA-686p-p8p9-x6fh"
            },
            {
              "name": "VulnCheck Advisory: LuCI DHCPv6 Lease Hostname Stored Cross-Site Scripting",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.vulncheck.com/advisories/luci-dhcpv6-lease-hostname-stored-cross-site-scripting"
            }
          ],
          "title": "LuCI DHCPv6 Lease Hostname Stored Cross-Site Scripting",
          "x_generator": {
            "engine": "vulncheck-endgame"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "assignerShortName": "VulnCheck",
        "cveId": "CVE-2026-61876",
        "datePublished": "2026-07-12T12:07:55.788Z",
        "dateReserved": "2026-07-10T21:54:26.760Z",
        "dateUpdated": "2026-07-12T12:07:55.788Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-61875 (GCVE-0-2026-61875)

    Vulnerability from nvd – Published: 2026-07-12 12:06 – Updated: 2026-07-13 14:19
    VLAI
    Title
    luci-app-upnp Stored XSS via UPnP Port Mapping Description
    Summary
    luci-app-upnp contains a stored cross-site scripting vulnerability that allows unauthenticated LAN clients to inject JavaScript via UPnP IGD AddPortMapping SOAP requests. Attackers can send malicious HTML in the NewPortMappingDescription field, which miniupnpd stores and luci-app-upnp renders without output encoding, executing the payload when administrators view the UPnP or Status pages.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Date Public
    2026-06-27 00:00
    Credits
    lujiefsi
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-61875",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-13T14:19:23.887144Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-13T14:19:53.274Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/openwrt/luci/security/advisories/GHSA-8v49-6387-7f89"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "luci",
              "vendor": "openwrt"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "lujiefsi"
            }
          ],
          "datePublic": "2026-06-27T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "luci-app-upnp contains a stored cross-site scripting vulnerability that allows unauthenticated LAN clients to inject JavaScript via UPnP IGD AddPortMapping SOAP requests. Attackers can send malicious HTML in the NewPortMappingDescription field, which miniupnpd stores and luci-app-upnp renders without output encoding, executing the payload when administrators view the UPnP or Status pages."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              },
              "format": "CVSS"
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-12T12:06:36.956Z",
            "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
            "shortName": "VulnCheck"
          },
          "references": [
            {
              "name": "GitHub Security Advisory (GHSA-8v49-6387-7f89)",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://github.com/openwrt/luci/security/advisories/GHSA-8v49-6387-7f89"
            },
            {
              "name": "VulnCheck Advisory: luci-app-upnp Stored XSS via UPnP Port Mapping Description",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.vulncheck.com/advisories/luci-app-upnp-stored-xss-via-upnp-port-mapping-description"
            }
          ],
          "title": "luci-app-upnp Stored XSS via UPnP Port Mapping Description",
          "x_generator": {
            "engine": "vulncheck-endgame"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "assignerShortName": "VulnCheck",
        "cveId": "CVE-2026-61875",
        "datePublished": "2026-07-12T12:06:36.956Z",
        "dateReserved": "2026-07-10T21:54:26.760Z",
        "dateUpdated": "2026-07-13T14:19:53.274Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-59260 (GCVE-0-2026-59260)

    Vulnerability from nvd – Published: 2026-07-12 12:06 – Updated: 2026-07-13 15:10
    VLAI
    Title
    OpenWrt luci-app-samba4 read ACL remote code execution via smbd
    Summary
    OpenWrt luci-app-samba4 read ACL grants file.exec permission on /usr/sbin/smbd, allowing authenticated delegated users to execute the Samba daemon with caller-controlled command-line arguments. Attackers can pass arbitrary Samba global options such as message command to a root smbd process, triggering command execution when SMB protocol messages are processed.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-269 - Improper Privilege Management
    Assigner
    References
    Impacted products
    Date Public
    2026-06-27 00:00
    Credits
    ZwCrazyThursday
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-59260",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-13T15:10:26.958671Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-13T15:10:35.291Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/openwrt/luci/security/advisories/GHSA-vx64-mmp7-h36c"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "luci",
              "vendor": "openwrt"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "ZwCrazyThursday"
            }
          ],
          "datePublic": "2026-06-27T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "OpenWrt luci-app-samba4 read ACL grants file.exec permission on /usr/sbin/smbd, allowing authenticated delegated users to execute the Samba daemon with caller-controlled command-line arguments. Attackers can pass arbitrary Samba global options such as message command to a root smbd process, triggering command execution when SMB protocol messages are processed."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              },
              "format": "CVSS"
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-269",
                  "description": "Improper Privilege Management",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-12T12:06:35.592Z",
            "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
            "shortName": "VulnCheck"
          },
          "references": [
            {
              "name": "GitHub Security Advisory (GHSA-vx64-mmp7-h36c)",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://github.com/openwrt/luci/security/advisories/GHSA-vx64-mmp7-h36c"
            },
            {
              "name": "VulnCheck Advisory: OpenWrt luci-app-samba4 read ACL remote code execution via smbd",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.vulncheck.com/advisories/openwrt-luci-app-samba4-read-acl-remote-code-execution-via-smbd"
            }
          ],
          "title": "OpenWrt luci-app-samba4 read ACL remote code execution via smbd",
          "x_generator": {
            "engine": "vulncheck-endgame"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "assignerShortName": "VulnCheck",
        "cveId": "CVE-2026-59260",
        "datePublished": "2026-07-12T12:06:35.592Z",
        "dateReserved": "2026-07-04T12:17:14.302Z",
        "dateUpdated": "2026-07-13T15:10:35.291Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55490 (GCVE-0-2026-55490)

    Vulnerability from nvd – Published: 2026-07-07 21:08 – Updated: 2026-07-08 13:52
    VLAI
    Title
    OpenWrt: EAD Integer Underflow → Pre-Auth Denial of Service
    Summary
    OpenWrt is a Linux operating system targeting embedded devices. Before v25.12.5, an integer underflow in handle_send_a() of the Emergency Access Daemon allows any unauthenticated attacker on the local network to crash the daemon by sending a single crafted UDP packet. The message length underflows before a bounds check and is then passed to memcpy as a very large size. This issue is fixed v25.12.5.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-191 - Integer Underflow (Wrap or Wraparound)
    Assigner
    Impacted products
    Vendor Product Version
    openwrt openwrt Affected: < 25.12.5
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55490",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-08T13:51:49.570163Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-08T13:52:07.490Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "openwrt",
              "vendor": "openwrt",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 25.12.5"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "OpenWrt is a Linux operating system targeting embedded devices. Before v25.12.5, an integer underflow in handle_send_a() of the Emergency Access Daemon allows any unauthenticated attacker on the local network to crash the daemon by sending a single crafted UDP packet. The message length underflows before a bounds check and is then passed to memcpy as a very large size. This issue is fixed v25.12.5."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-191",
                  "description": "CWE-191: Integer Underflow (Wrap or Wraparound)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-07T21:08:26.638Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/openwrt/openwrt/security/advisories/GHSA-9558-77jp-g3fw",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/openwrt/openwrt/security/advisories/GHSA-9558-77jp-g3fw"
            },
            {
              "name": "https://github.com/openwrt/openwrt/commit/63c0767f3d02f7b10b0f0b5293366bd059a08ca5",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/openwrt/openwrt/commit/63c0767f3d02f7b10b0f0b5293366bd059a08ca5"
            },
            {
              "name": "https://github.com/openwrt/openwrt/releases/tag/v25.12.5",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/openwrt/openwrt/releases/tag/v25.12.5"
            }
          ],
          "source": {
            "advisory": "GHSA-9558-77jp-g3fw",
            "discovery": "UNKNOWN"
          },
          "title": "OpenWrt: EAD Integer Underflow \u2192 Pre-Auth Denial of Service"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55490",
        "datePublished": "2026-07-07T21:08:26.638Z",
        "dateReserved": "2026-06-16T22:28:27.062Z",
        "dateUpdated": "2026-07-08T13:52:07.490Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-58652 (GCVE-0-2026-58652)

    Vulnerability from nvd – Published: 2026-07-02 12:28 – Updated: 2026-07-02 13:16
    VLAI
    Title
    luci-app-travelmate - Arbitrary Command Execution via UCI Script Parameter
    Summary
    luci-app-travelmate (and the travelmate package) contain a privilege-escalation flaw: a LuCI/rpcd session holding the luci-app-travelmate write ACL is granted config-wide UCI write access to the travelmate configuration. While the LuCI UI restricts the auto-login script picker to /etc/travelmate/*.login, this is only a frontend restriction. The backend travelmate service (running as root) reads the raw UCI 'script' and 'script_args' values and executes the configured path when the captive-portal auto-login branch (f_check() in travelmate-functions.sh) is reached. An attacker with delegated write permissions can set script to /bin/sh and script_args to attacker-controlled arguments, resulting in arbitrary command execution as root. Confirmed in luci-app-travelmate/travelmate 2.4.5-r3; the sink is still present in travelmate 2.4.6-1 and no patched version is known.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
    Assigner
    Impacted products
    Vendor Product Version
    openwrt luci-app-travelmate Affected: 2.4.5-r3 (custom)
    Create a notification for this product.
    openwrt travelmate Affected: 2.4.5-r3 (custom)
    Affected: 2.4.6-1 (custom)
    Create a notification for this product.
    Date Public
    2026-06-17 00:00
    Credits
    ZwCrazyThursday
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-58652",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-02T13:16:39.810703Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-02T13:16:44.529Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/openwrt/luci/security/advisories/GHSA-p35r-3323-6g7g"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "luci-app-travelmate",
              "vendor": "openwrt",
              "versions": [
                {
                  "status": "affected",
                  "version": "2.4.5-r3",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "travelmate",
              "vendor": "openwrt",
              "versions": [
                {
                  "status": "affected",
                  "version": "2.4.5-r3",
                  "versionType": "custom"
                },
                {
                  "status": "affected",
                  "version": "2.4.6-1",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "ZwCrazyThursday"
            }
          ],
          "datePublic": "2026-06-17T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "luci-app-travelmate (and the travelmate package) contain a privilege-escalation flaw: a LuCI/rpcd session holding the luci-app-travelmate write ACL is granted config-wide UCI write access to the travelmate configuration. While the LuCI UI restricts the auto-login script picker to /etc/travelmate/*.login, this is only a frontend restriction. The backend travelmate service (running as root) reads the raw UCI \u0027script\u0027 and \u0027script_args\u0027 values and executes the configured path when the captive-portal auto-login branch (f_check() in travelmate-functions.sh) is reached. An attacker with delegated write permissions can set script to /bin/sh and script_args to attacker-controlled arguments, resulting in arbitrary command execution as root. Confirmed in luci-app-travelmate/travelmate 2.4.5-r3; the sink is still present in travelmate 2.4.6-1 and no patched version is known."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              },
              "format": "CVSS"
            },
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-02T12:28:34.022Z",
            "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
            "shortName": "VulnCheck"
          },
          "references": [
            {
              "name": "GitHub Security Advisory (GHSA-p35r-3323-6g7g)",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://github.com/openwrt/luci/security/advisories/GHSA-p35r-3323-6g7g"
            },
            {
              "name": "https://github.com/openwrt/luci/commit/f85102548ee8325bfd581a0327b210b5f7670829",
              "tags": [
                "patch"
              ],
              "url": "https://github.com/openwrt/luci/commit/f85102548ee8325bfd581a0327b210b5f7670829"
            },
            {
              "name": "https://github.com/openwrt/luci/commit/491f1df06645c4e0757fed4a9f0622e9ce0d300c",
              "tags": [
                "patch"
              ],
              "url": "https://github.com/openwrt/luci/commit/491f1df06645c4e0757fed4a9f0622e9ce0d300c"
            },
            {
              "name": "https://github.com/openwrt/luci/commit/71d92bcc9edbc8f95858ce82a8ff5d52500005a2",
              "tags": [
                "patch"
              ],
              "url": "https://github.com/openwrt/luci/commit/71d92bcc9edbc8f95858ce82a8ff5d52500005a2"
            },
            {
              "name": "https://github.com/openwrt/luci/commit/0627b412ee3a760cc4bca9fc8a5b73de8f33ac10",
              "tags": [
                "patch"
              ],
              "url": "https://github.com/openwrt/luci/commit/0627b412ee3a760cc4bca9fc8a5b73de8f33ac10"
            },
            {
              "name": "https://github.com/openwrt/luci/commit/d6e457a1a70a9010195edeafdc0b8eb6e3b0f7f1",
              "tags": [
                "patch"
              ],
              "url": "https://github.com/openwrt/luci/commit/d6e457a1a70a9010195edeafdc0b8eb6e3b0f7f1"
            },
            {
              "name": "VulnCheck Advisory: luci-app-travelmate - Arbitrary Command Execution via UCI Script Parameter",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.vulncheck.com/advisories/luci-app-travelmate-arbitrary-command-execution-via-uci-script-parameter"
            }
          ],
          "title": "luci-app-travelmate - Arbitrary Command Execution via UCI Script Parameter",
          "x_generator": {
            "engine": "vulncheck-endgame"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "assignerShortName": "VulnCheck",
        "cveId": "CVE-2026-58652",
        "datePublished": "2026-07-02T12:28:34.022Z",
        "dateReserved": "2026-07-01T21:54:37.945Z",
        "dateUpdated": "2026-07-02T13:16:44.529Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-58000 (GCVE-0-2026-58000)

    Vulnerability from nvd – Published: 2026-06-29 18:16 – Updated: 2026-06-30 11:15 X_Open Source
    VLAI
    Title
    luci-proto-openvpn - Command Injection via cl_meta Parameter in generateKey
    Summary
    luci-proto-openvpn through 0.11.1, fixed in commit e4ff45e, contains a command injection vulnerability in the generateKey ubus method where the cl_meta parameter is interpolated into a shell command without proper escaping or quoting. An authenticated LuCI user with OpenVPN protocol configuration access can inject arbitrary shell metacharacters into cl_meta to execute commands as root via the popen function.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
    Assigner
    Impacted products
    Vendor Product Version
    openwrt luci-proto-openvpn Affected: 0 , ≤ 0.11.1 (semver)
    Unaffected: e4ff45ecbc6ad212951815c8c99b2749fbd7de6b (git)
    Create a notification for this product.
    Date Public
    2026-06-27 00:00
    Credits
    George Chen
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-58000",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-29T19:20:14.531014Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-29T19:21:29.069Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/openwrt/luci/security/advisories/GHSA-pm9w-522m-8rrh"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "luci-proto-openvpn",
              "repo": "https://github.com/openwrt/luci",
              "vendor": "openwrt",
              "versions": [
                {
                  "lessThanOrEqual": "0.11.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "e4ff45ecbc6ad212951815c8c99b2749fbd7de6b",
                  "versionType": "git"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "George Chen"
            }
          ],
          "datePublic": "2026-06-27T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "luci-proto-openvpn through 0.11.1, fixed in commit e4ff45e, contains a command injection vulnerability in the generateKey ubus method where the cl_meta parameter is interpolated into a shell command without proper escaping or quoting. An authenticated LuCI user with OpenVPN protocol configuration access can inject arbitrary shell metacharacters into cl_meta to execute commands as root via the popen function."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-30T11:15:50.568Z",
            "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
            "shortName": "VulnCheck"
          },
          "references": [
            {
              "name": "GitHub Security Advisory (GHSA-pm9w-522m-8rrh)",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://github.com/openwrt/luci/security/advisories/GHSA-pm9w-522m-8rrh"
            },
            {
              "name": "Patch Commit",
              "tags": [
                "patch"
              ],
              "url": "https://github.com/openwrt/luci/commit/e4ff45ecbc6ad212951815c8c99b2749fbd7de6b"
            },
            {
              "name": "VulnCheck Advisory: luci-proto-openvpn - Command Injection via cl_meta Parameter in generateKey",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.vulncheck.com/advisories/luci-proto-openvpn-command-injection-via-cl-meta-parameter-in-generatekey"
            }
          ],
          "tags": [
            "x_open-source"
          ],
          "title": "luci-proto-openvpn - Command Injection via cl_meta Parameter in generateKey",
          "x_generator": {
            "engine": "vulncheck-endgame"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "assignerShortName": "VulnCheck",
        "cveId": "CVE-2026-58000",
        "datePublished": "2026-06-29T18:16:04.973Z",
        "dateReserved": "2026-06-26T17:58:05.796Z",
        "dateUpdated": "2026-06-30T11:15:50.568Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-57999 (GCVE-0-2026-57999)

    Vulnerability from nvd – Published: 2026-06-29 18:16 – Updated: 2026-06-30 13:16 X_Open Source
    VLAI
    Title
    luci-app-tailscale-community - Command Injection via tailscale.do_login RPC
    Summary
    luci-app-tailscale-community contains a command injection vulnerability in the tailscale.do_login RPC method that allows authenticated users to execute arbitrary commands as root. The vulnerability exists because user-controlled loginserver and loginserver_authkey parameters are improperly quoted within a double-quoted shell command, allowing shell substitutions like $() to be evaluated by the outer shell before argument processing.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    openwrt luci-app-tailscale-community Affected: 0 , ≤ 0.11.1 (semver)
    Create a notification for this product.
    Date Public
    2026-06-11 00:00
    Credits
    lujie (@lujiefsi)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-57999",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-30T13:16:48.896086Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T13:16:53.946Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/openwrt/luci/security/advisories/GHSA-xwc5-mx58-rh35"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "luci-app-tailscale-community",
              "repo": "https://github.com/openwrt/luci",
              "vendor": "openwrt",
              "versions": [
                {
                  "lessThanOrEqual": "0.11.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "lujie (@lujiefsi)"
            }
          ],
          "datePublic": "2026-06-11T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "luci-app-tailscale-community contains a command injection vulnerability in the tailscale.do_login RPC method that allows authenticated users to execute arbitrary commands as root. The vulnerability exists because user-controlled loginserver and loginserver_authkey parameters are improperly quoted within a double-quoted shell command, allowing shell substitutions like $() to be evaluated by the outer shell before argument processing."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-30T11:15:49.876Z",
            "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
            "shortName": "VulnCheck"
          },
          "references": [
            {
              "name": "GitHub Security Advisory (GHSA-xwc5-mx58-rh35)",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://github.com/openwrt/luci/security/advisories/GHSA-xwc5-mx58-rh35"
            },
            {
              "name": "VulnCheck Advisory: luci-app-tailscale-community - Command Injection via tailscale.do_login RPC",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.vulncheck.com/advisories/luci-app-tailscale-community-command-injection-via-tailscale-do-login-rpc"
            }
          ],
          "tags": [
            "x_open-source"
          ],
          "title": "luci-app-tailscale-community - Command Injection via tailscale.do_login RPC",
          "x_generator": {
            "engine": "vulncheck-endgame"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "assignerShortName": "VulnCheck",
        "cveId": "CVE-2026-57999",
        "datePublished": "2026-06-29T18:16:04.327Z",
        "dateReserved": "2026-06-26T17:58:05.796Z",
        "dateUpdated": "2026-06-30T13:16:53.946Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-32721 (GCVE-0-2026-32721)

    Vulnerability from nvd – Published: 2026-03-19 22:46 – Updated: 2026-03-25 03:56
    VLAI
    Title
    LuCI luci-mod-network: Possible XSS attack in WiFi scan on Joining Wireless Client modal
    Summary
    LuCI is the OpenWrt Configuration Interface. Versions prior to both 24.10.5 and 25.12.0, contain a stored XSS vulnerability in the wireless scan modal, where SSID values from scan results are rendered as raw HTML without any sanitization. The wireless.js file in the luci-mod-network package passes SSIDs via a template literal to dom.append(), which processes them through innerHTML, allowing an attacker to craft a malicious SSID containing arbitrary HTML/JavaScript. Exploitation requires the user to actively open the wireless scan modal (e.g., to connect to a Wi-Fi access point or survey nearby channels), and only affects OpenWrt versions newer than 23.05/22.03 up to the patched releases (24.10.6 and 25.12.1). The issue has been fixed in version LuCI 26.072.65753~068150b.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    openwrt luci Affected: < 26.072.65753~068150b
    Create a notification for this product.
    openwrt openwrt Affected: < 24.10.6
    Affected: >= 25.12.0, < 25.12.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-32721",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-24T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-25T03:56:15.781Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "luci",
              "vendor": "openwrt",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 26.072.65753~068150b"
                }
              ]
            },
            {
              "product": "openwrt",
              "vendor": "openwrt",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 24.10.6"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 25.12.0, \u003c 25.12.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "LuCI is the OpenWrt Configuration Interface. Versions prior to both 24.10.5 and 25.12.0, contain a stored XSS vulnerability in the wireless scan modal, where SSID values from scan results are rendered as raw HTML without any sanitization. The wireless.js file in the luci-mod-network package passes SSIDs via a template literal to dom.append(), which processes them through innerHTML, allowing an attacker to craft a malicious SSID containing arbitrary HTML/JavaScript. Exploitation requires the user to actively open the wireless scan modal (e.g., to connect to a Wi-Fi access point or survey nearby channels), and only affects OpenWrt versions newer than 23.05/22.03 up to the patched releases (24.10.6 and 25.12.1). The issue has been fixed in version LuCI 26.072.65753~068150b."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-19T22:46:43.909Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/openwrt/luci/security/advisories/GHSA-vvj6-7362-pjrw",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/openwrt/luci/security/advisories/GHSA-vvj6-7362-pjrw"
            },
            {
              "name": "https://github.com/openwrt/luci/commit/068150ba5f524ef6b03817b258d31ec310053fd6",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/openwrt/luci/commit/068150ba5f524ef6b03817b258d31ec310053fd6"
            },
            {
              "name": "https://github.com/openwrt/luci/commit/cdce600aaec66f762f18d608c74cbf3abcafe1c7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/openwrt/luci/commit/cdce600aaec66f762f18d608c74cbf3abcafe1c7"
            }
          ],
          "source": {
            "advisory": "GHSA-vvj6-7362-pjrw",
            "discovery": "UNKNOWN"
          },
          "title": "LuCI luci-mod-network: Possible XSS attack in WiFi scan on Joining Wireless Client modal"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-32721",
        "datePublished": "2026-03-19T22:46:43.909Z",
        "dateReserved": "2026-03-13T15:02:00.625Z",
        "dateUpdated": "2026-03-25T03:56:15.781Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-30874 (GCVE-0-2026-30874)

    Vulnerability from nvd – Published: 2026-03-19 22:36 – Updated: 2026-03-20 18:09
    VLAI
    Title
    OpenWrt procd PATH Environment Variable Filter Bypass via Incorrect String Comparison Leads to Privilege Escalation
    Summary
    OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to 24.10.6, a vulnerability in the hotplug_call function allows an attacker to bypass environment variable filtering and inject an arbitrary PATH variable, potentially leading to privilege escalation. The function is intended to filter out sensitive environment variables like PATH when executing hotplug scripts in /etc/hotplug.d, but a bug using strcmp instead of strncmp causes the filter to compare the full environment string (e.g., PATH=/some/value) against the literal "PATH", so the match always fails. As a result, the PATH variable is never excluded, enabling an attacker to control which binaries are executed by procd-invoked scripts running with elevated privileges. This issue has been fixed in version 24.10.6.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-187 - Partial String Comparison
    • CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
    • CWE-269 - Improper Privilege Management
    Assigner
    References
    Impacted products
    Vendor Product Version
    openwrt openwrt Affected: < 24.10.6
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-30874",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-20T17:13:02.973267Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-20T18:09:36.205Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "openwrt",
              "vendor": "openwrt",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 24.10.6"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to 24.10.6, a vulnerability in the hotplug_call function allows an attacker to bypass environment variable filtering and inject an arbitrary PATH variable, potentially leading to privilege escalation. The function is intended to filter out sensitive environment variables like PATH when executing hotplug scripts in /etc/hotplug.d, but a bug using strcmp instead of strncmp causes the filter to compare the full environment string (e.g., PATH=/some/value) against the literal \"PATH\", so the match always fails. As a result, the PATH variable is never excluded, enabling an attacker to control which binaries are executed by procd-invoked scripts running with elevated privileges. This issue has been fixed in version 24.10.6."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "LOCAL",
                "baseScore": 1.8,
                "baseSeverity": "LOW",
                "privilegesRequired": "HIGH",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-187",
                  "description": "CWE-187: Partial String Comparison",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-74",
                  "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-269",
                  "description": "CWE-269: Improper Privilege Management",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-19T22:36:04.507Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/openwrt/openwrt/security/advisories/GHSA-jw28-hxcm-j934",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/openwrt/openwrt/security/advisories/GHSA-jw28-hxcm-j934"
            },
            {
              "name": "https://github.com/openwrt/procd/commit/e08cdc8562f55b9ac228a21f3f7605a18c522b81",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/openwrt/procd/commit/e08cdc8562f55b9ac228a21f3f7605a18c522b81"
            }
          ],
          "source": {
            "advisory": "GHSA-jw28-hxcm-j934",
            "discovery": "UNKNOWN"
          },
          "title": "OpenWrt procd PATH Environment Variable Filter Bypass via Incorrect String Comparison Leads to Privilege Escalation"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-30874",
        "datePublished": "2026-03-19T22:36:04.507Z",
        "dateReserved": "2026-03-06T00:04:56.699Z",
        "dateUpdated": "2026-03-20T18:09:36.205Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-30873 (GCVE-0-2026-30873)

    Vulnerability from nvd – Published: 2026-03-19 22:01 – Updated: 2026-03-21 03:26
    VLAI
    Title
    OpenWrt Project jsonpath: Memory leak when processing strings, labels, and regexp tokens
    Summary
    OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to both 24.10.6 and 25.12.1, the jp_get_token function, which performs lexical analysis by breaking input expressions into tokens, contains a memory leak vulnerability when extracting string literals, field labels, and regular expressions using dynamic memory allocation. These extracted results are stored in a jp_opcode struct, which is later copied to a newly allocated jp_opcode object via jp_alloc_op. During this transfer, if a string was previously extracted and stored in the initial jp_opcode, it is copied to the new allocation but the original memory is never freed, resulting in a memory leak. This issue has been fixed in versions 24.10.6 and 25.12.1.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-401 - Missing Release of Memory after Effective Lifetime
    Assigner
    Impacted products
    Vendor Product Version
    openwrt openwrt Affected: >= 25.12.0-rc1, < 25.12.1
    Affected: < 24.10.6
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-30873",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-21T03:25:41.581578Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-21T03:26:08.591Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "openwrt",
              "vendor": "openwrt",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 25.12.0-rc1, \u003c 25.12.1"
                },
                {
                  "status": "affected",
                  "version": "\u003c 24.10.6"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to both 24.10.6 and 25.12.1, the jp_get_token function, which performs lexical analysis by breaking input expressions into tokens, contains a memory leak vulnerability when extracting string literals, field labels, and regular expressions using dynamic memory allocation. These extracted results are stored in a jp_opcode struct, which is later copied to a newly allocated jp_opcode object via jp_alloc_op. During this transfer, if a string was previously extracted and stored in the initial jp_opcode, it is copied to the new allocation but the original memory is never freed, resulting in a memory leak. This issue has been fixed in versions 24.10.6 and 25.12.1."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "ADJACENT",
                "baseScore": 2.4,
                "baseSeverity": "LOW",
                "privilegesRequired": "HIGH",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "ACTIVE",
                "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-401",
                  "description": "CWE-401: Missing Release of Memory after Effective Lifetime",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-19T22:01:03.867Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/openwrt/openwrt/security/advisories/GHSA-rcc6-v4r6-gj4m",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/openwrt/openwrt/security/advisories/GHSA-rcc6-v4r6-gj4m"
            },
            {
              "name": "https://github.com/openwrt/openwrt/releases/tag/v24.10.6",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/openwrt/openwrt/releases/tag/v24.10.6"
            },
            {
              "name": "https://github.com/openwrt/openwrt/releases/tag/v25.12.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/openwrt/openwrt/releases/tag/v25.12.1"
            }
          ],
          "source": {
            "advisory": "GHSA-rcc6-v4r6-gj4m",
            "discovery": "UNKNOWN"
          },
          "title": "OpenWrt Project jsonpath: Memory leak when processing strings, labels, and regexp tokens"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-30873",
        "datePublished": "2026-03-19T22:01:03.867Z",
        "dateReserved": "2026-03-06T00:04:56.698Z",
        "dateUpdated": "2026-03-21T03:26:08.591Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-30872 (GCVE-0-2026-30872)

    Vulnerability from nvd – Published: 2026-03-19 21:56 – Updated: 2026-03-25 03:56
    VLAI
    Title
    OpenWrt Project has a Stack-based Buffer Overflow vulnerability via IPv6 reverse DNS lookup
    Summary
    OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to 24.10.6 and 25.12.1, the mdns daemon has a Stack-based Buffer Overflow vulnerability in the match_ipv6_addresses function, triggered when processing PTR queries for IPv6 reverse DNS domains (.ip6.arpa) received via multicast DNS on UDP port 5353. During processing, the domain name from name_buffer is copied via strcpy into a fixed 256-byte stack buffer, and then the reverse IPv6 request is extracted into a buffer of only 46 bytes (INET6_ADDRSTRLEN). Because the length of the data is never validated before this extraction, an attacker can supply input larger than 46 bytes, causing an out-of-bounds write. This allows a specially crafted DNS query to overflow the stack buffer in match_ipv6_addresses, potentially enabling remote code execution. This issue has been fixed in versions 24.10.6 and 25.12.1.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-121 - Stack-based Buffer Overflow
    Assigner
    Impacted products
    Vendor Product Version
    openwrt openwrt Affected: >= 25.12.0-rc1, < 25.12.1
    Affected: < 24.10.6
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-30872",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-24T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-25T03:56:13.660Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "openwrt",
              "vendor": "openwrt",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 25.12.0-rc1, \u003c 25.12.1"
                },
                {
                  "status": "affected",
                  "version": "\u003c 24.10.6"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to 24.10.6 and 25.12.1, the mdns daemon has a Stack-based Buffer Overflow vulnerability in the match_ipv6_addresses function, triggered when processing PTR queries for IPv6 reverse DNS domains (.ip6.arpa) received via multicast DNS on UDP port 5353. During processing, the domain name from name_buffer is copied via strcpy into a fixed 256-byte stack buffer, and then the reverse IPv6 request is extracted into a buffer of only 46 bytes (INET6_ADDRSTRLEN). Because the length of the data is never validated before this extraction, an attacker can supply input larger than 46 bytes, causing an out-of-bounds write. This allows a specially crafted DNS query to overflow the stack buffer in match_ipv6_addresses, potentially enabling remote code execution. This issue has been fixed in versions 24.10.6 and 25.12.1."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "HIGH",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.5,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-121",
                  "description": "CWE-121: Stack-based Buffer Overflow",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-19T21:56:23.472Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/openwrt/openwrt/security/advisories/GHSA-mpgh-v658-jqv5",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/openwrt/openwrt/security/advisories/GHSA-mpgh-v658-jqv5"
            },
            {
              "name": "https://github.com/openwrt/openwrt/releases/tag/v24.10.6",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/openwrt/openwrt/releases/tag/v24.10.6"
            },
            {
              "name": "https://github.com/openwrt/openwrt/releases/tag/v25.12.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/openwrt/openwrt/releases/tag/v25.12.1"
            }
          ],
          "source": {
            "advisory": "GHSA-mpgh-v658-jqv5",
            "discovery": "UNKNOWN"
          },
          "title": "OpenWrt Project has a Stack-based Buffer Overflow vulnerability via IPv6 reverse DNS lookup"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-30872",
        "datePublished": "2026-03-19T21:56:23.472Z",
        "dateReserved": "2026-03-06T00:04:56.698Z",
        "dateUpdated": "2026-03-25T03:56:13.660Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-30871 (GCVE-0-2026-30871)

    Vulnerability from nvd – Published: 2026-03-19 21:49 – Updated: 2026-03-25 03:56
    VLAI
    Title
    OpenWrt Project has Stack-based Buffer Overflow in DNS PTR Query
    Summary
    OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to 24.10.6 and 25.12.1, the mdns daemon has a Stack-based Buffer Overflow vulnerability in the parse_question function. The issue is triggered by PTR queries for reverse DNS domains (.in-addr.arpa and .ip6.arpa). DNS packets received on UDP port 5353 are expanded by dn_expand into an 8096-byte global buffer (name_buffer), which is then copied via an unbounded strcpy into a fixed 256-byte stack buffer when handling TYPE_PTR queries. The overflow is possible because dn_expand converts non-printable ASCII bytes (e.g., 0x01) into multi-character octal representations (e.g., \001), significantly inflating the expanded name beyond the stack buffer's capacity. A crafted DNS packet can exploit this expansion behavior to overflow the stack buffer, making the vulnerability reachable through normal multicast DNS packet processing. This issue has been fixed in versions 24.10.6 and 25.12.1.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-121 - Stack-based Buffer Overflow
    Assigner
    Impacted products
    Vendor Product Version
    openwrt openwrt Affected: < 24.10.6
    Affected: >= 25.12.0-rc1, < 25.12.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-30871",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-24T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-25T03:56:12.627Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "openwrt",
              "vendor": "openwrt",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 24.10.6"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 25.12.0-rc1, \u003c 25.12.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to 24.10.6 and 25.12.1, the mdns daemon has a Stack-based Buffer Overflow vulnerability in the parse_question function. The issue is  triggered by PTR queries for reverse DNS domains (.in-addr.arpa and .ip6.arpa). DNS packets received on UDP port 5353 are expanded by dn_expand into an 8096-byte global buffer (name_buffer), which is then copied via an unbounded strcpy into a fixed 256-byte stack buffer when handling TYPE_PTR queries. The overflow is possible because dn_expand converts non-printable ASCII bytes (e.g., 0x01) into multi-character octal representations (e.g., \\001), significantly inflating the expanded name beyond the stack buffer\u0027s capacity. A crafted DNS packet can exploit this expansion behavior to overflow the stack buffer, making the vulnerability reachable through normal multicast DNS packet processing. This issue has been fixed in versions 24.10.6 and 25.12.1."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "HIGH",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.5,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-121",
                  "description": "CWE-121: Stack-based Buffer Overflow",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-19T21:49:50.876Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/openwrt/openwrt/security/advisories/GHSA-7c3j-f7w2-p8f6",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/openwrt/openwrt/security/advisories/GHSA-7c3j-f7w2-p8f6"
            },
            {
              "name": "https://github.com/openwrt/openwrt/releases/tag/v24.10.6",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/openwrt/openwrt/releases/tag/v24.10.6"
            },
            {
              "name": "https://github.com/openwrt/openwrt/releases/tag/v25.12.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/openwrt/openwrt/releases/tag/v25.12.1"
            }
          ],
          "source": {
            "advisory": "GHSA-7c3j-f7w2-p8f6",
            "discovery": "UNKNOWN"
          },
          "title": "OpenWrt Project has Stack-based Buffer Overflow in DNS PTR Query"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-30871",
        "datePublished": "2026-03-19T21:49:50.876Z",
        "dateReserved": "2026-03-06T00:04:56.698Z",
        "dateUpdated": "2026-03-25T03:56:12.627Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-20435 (GCVE-0-2026-20435)

    Vulnerability from nvd – Published: 2026-03-02 08:39 – Updated: 2026-03-30 13:05
    VLAI
    Summary
    In preloader, there is a possible read of device unique identifiers due to a logic error. This could lead to local information disclosure, if an attacker has physical access to the device, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS10607099; Issue ID: MSV-6118.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-522 - Insufficiently Protected Credentials
    Assigner
    Impacted products
    Vendor Product Version
    MediaTek, Inc. MediaTek chipset Affected: MT2737
    Affected: MT6739
    Affected: MT6761
    Affected: MT6765
    Affected: MT6768
    Affected: MT6781
    Affected: MT6789
    Affected: MT6813
    Affected: MT6833
    Affected: MT6853
    Affected: MT6855
    Affected: MT6877
    Affected: MT6878
    Affected: MT6879
    Affected: MT6880
    Affected: MT6885
    Affected: MT6886
    Affected: MT6890
    Affected: MT6893
    Affected: MT6895
    Affected: MT6897
    Affected: MT6983
    Affected: MT6985
    Affected: MT6989
    Affected: MT6990
    Affected: MT6993
    Affected: MT8169
    Affected: MT8186
    Affected: MT8188
    Affected: MT8370
    Affected: MT8390
    Affected: MT8676
    Affected: MT8678
    Affected: MT8696
    Affected: MT8793
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "PHYSICAL",
                  "availabilityImpact": "NONE",
                  "baseScore": 4.6,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-20435",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-02T13:35:00.235194Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-02T13:35:04.764Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "MediaTek chipset",
              "vendor": "MediaTek, Inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "MT2737"
                },
                {
                  "status": "affected",
                  "version": "MT6739"
                },
                {
                  "status": "affected",
                  "version": "MT6761"
                },
                {
                  "status": "affected",
                  "version": "MT6765"
                },
                {
                  "status": "affected",
                  "version": "MT6768"
                },
                {
                  "status": "affected",
                  "version": "MT6781"
                },
                {
                  "status": "affected",
                  "version": "MT6789"
                },
                {
                  "status": "affected",
                  "version": "MT6813"
                },
                {
                  "status": "affected",
                  "version": "MT6833"
                },
                {
                  "status": "affected",
                  "version": "MT6853"
                },
                {
                  "status": "affected",
                  "version": "MT6855"
                },
                {
                  "status": "affected",
                  "version": "MT6877"
                },
                {
                  "status": "affected",
                  "version": "MT6878"
                },
                {
                  "status": "affected",
                  "version": "MT6879"
                },
                {
                  "status": "affected",
                  "version": "MT6880"
                },
                {
                  "status": "affected",
                  "version": "MT6885"
                },
                {
                  "status": "affected",
                  "version": "MT6886"
                },
                {
                  "status": "affected",
                  "version": "MT6890"
                },
                {
                  "status": "affected",
                  "version": "MT6893"
                },
                {
                  "status": "affected",
                  "version": "MT6895"
                },
                {
                  "status": "affected",
                  "version": "MT6897"
                },
                {
                  "status": "affected",
                  "version": "MT6983"
                },
                {
                  "status": "affected",
                  "version": "MT6985"
                },
                {
                  "status": "affected",
                  "version": "MT6989"
                },
                {
                  "status": "affected",
                  "version": "MT6990"
                },
                {
                  "status": "affected",
                  "version": "MT6993"
                },
                {
                  "status": "affected",
                  "version": "MT8169"
                },
                {
                  "status": "affected",
                  "version": "MT8186"
                },
                {
                  "status": "affected",
                  "version": "MT8188"
                },
                {
                  "status": "affected",
                  "version": "MT8370"
                },
                {
                  "status": "affected",
                  "version": "MT8390"
                },
                {
                  "status": "affected",
                  "version": "MT8676"
                },
                {
                  "status": "affected",
                  "version": "MT8678"
                },
                {
                  "status": "affected",
                  "version": "MT8696"
                },
                {
                  "status": "affected",
                  "version": "MT8793"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In preloader, there is a possible read of device unique identifiers due to a logic error. This could lead to local information disclosure, if an attacker has physical access to the device, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS10607099; Issue ID: MSV-6118."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-522",
                  "description": "CWE-522 Insufficiently Protected Credentials",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-30T13:05:38.348Z",
            "orgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374",
            "shortName": "MediaTek"
          },
          "references": [
            {
              "url": "https://corp.mediatek.com/product-security-bulletin/March-2026"
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374",
        "assignerShortName": "MediaTek",
        "cveId": "CVE-2026-20435",
        "datePublished": "2026-03-02T08:39:12.070Z",
        "dateReserved": "2025-11-03T01:30:59.011Z",
        "dateUpdated": "2026-03-30T13:05:38.348Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-20430 (GCVE-0-2026-20430)

    Vulnerability from nvd – Published: 2026-03-02 08:39 – Updated: 2026-03-30 13:05
    VLAI
    Summary
    In wlan AP FW, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote (proximal/adjacent) escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00467553; Issue ID: MSV-5151.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    MediaTek, Inc. MediaTek chipset Affected: MT6890
    Affected: MT7915
    Affected: MT7916
    Affected: MT7981
    Affected: MT7986
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "ADJACENT_NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 8.8,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-20430",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-02T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-03T04:55:59.512Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "MediaTek chipset",
              "vendor": "MediaTek, Inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "MT6890"
                },
                {
                  "status": "affected",
                  "version": "MT7915"
                },
                {
                  "status": "affected",
                  "version": "MT7916"
                },
                {
                  "status": "affected",
                  "version": "MT7981"
                },
                {
                  "status": "affected",
                  "version": "MT7986"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In wlan AP FW, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote (proximal/adjacent) escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00467553; Issue ID: MSV-5151."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-787",
                  "description": "CWE-787 Out-of-bounds Write",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-30T13:05:32.389Z",
            "orgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374",
            "shortName": "MediaTek"
          },
          "references": [
            {
              "url": "https://corp.mediatek.com/product-security-bulletin/March-2026"
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374",
        "assignerShortName": "MediaTek",
        "cveId": "CVE-2026-20430",
        "datePublished": "2026-03-02T08:39:08.082Z",
        "dateReserved": "2025-11-03T01:30:59.011Z",
        "dateUpdated": "2026-03-30T13:05:32.389Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-62184 (GCVE-0-2026-62184)

    Vulnerability from cvelistv5 – Published: 2026-07-13 21:30 – Updated: 2026-07-13 21:30 X_Open Source
    VLAI
    Title
    luci-app-banip Log Monitor IP Extraction Bypass
    Summary
    luci-app-banip contains a log parsing vulnerability where the awk-based parser extracts the first IPv4 address from log lines regardless of field position, allowing attackers to inject arbitrary IPs via attacker-controlled fields like usernames. An unauthenticated remote attacker can inject an IP address into the login username field, causing banIP to block the wrong target while the real attacker remains unblocked.
    CWE
    • CWE-116 - Improper Encoding or Escaping of Output
    Assigner
    Impacted products
    Vendor Product Version
    openwrt luci Affected: 0 , ≤ 0.11.1 (semver)
    Unaffected: d9bbc372e29618a8807b693a1ccf6d0e42cd196c (git)
    Create a notification for this product.
    Date Public
    2026-06-28 00:00
    Credits
    lujie (@lujiefsi)
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "luci",
              "repo": "https://github.com/openwrt/luci",
              "vendor": "openwrt",
              "versions": [
                {
                  "lessThanOrEqual": "0.11.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "d9bbc372e29618a8807b693a1ccf6d0e42cd196c",
                  "versionType": "git"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "lujie (@lujiefsi)"
            }
          ],
          "datePublic": "2026-06-28T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "luci-app-banip contains a log parsing vulnerability where the awk-based parser extracts the first IPv4 address from log lines regardless of field position, allowing attackers to inject arbitrary IPs via attacker-controlled fields like usernames. An unauthenticated remote attacker can inject an IP address into the login username field, causing banIP to block the wrong target while the real attacker remains unblocked."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-116",
                  "description": "Improper Encoding or Escaping of Output",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-13T21:30:09.248Z",
            "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
            "shortName": "VulnCheck"
          },
          "references": [
            {
              "name": "GitHub Security Advisory (GHSA-r6hx-4f83-vp8m)",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://github.com/openwrt/luci/security/advisories/GHSA-r6hx-4f83-vp8m"
            },
            {
              "name": "Patch Commit",
              "tags": [
                "patch"
              ],
              "url": "https://github.com/openwrt/luci/commit/d9bbc372e29618a8807b693a1ccf6d0e42cd196c"
            },
            {
              "name": "VulnCheck Advisory: luci-app-banip Log Monitor IP Extraction Bypass",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.vulncheck.com/advisories/luci-app-banip-log-monitor-ip-extraction-bypass"
            }
          ],
          "tags": [
            "x_open-source"
          ],
          "title": "luci-app-banip Log Monitor IP Extraction Bypass",
          "x_generator": {
            "engine": "vulncheck-endgame"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "assignerShortName": "VulnCheck",
        "cveId": "CVE-2026-62184",
        "datePublished": "2026-07-13T21:30:09.248Z",
        "dateReserved": "2026-07-13T16:36:32.094Z",
        "dateUpdated": "2026-07-13T21:30:09.248Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-61876 (GCVE-0-2026-61876)

    Vulnerability from cvelistv5 – Published: 2026-07-12 12:07 – Updated: 2026-07-12 12:07
    VLAI
    Title
    LuCI DHCPv6 Lease Hostname Stored Cross-Site Scripting
    Summary
    LuCI versions fail to properly encode DHCPv6 lease hostnames before rendering in status tables, allowing adjacent network attackers to inject HTML markup. Attackers can send a DHCPv6 Client FQDN containing script tags that execute in the administrator's browser when viewing DHCP lease pages.
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Date Public
    2026-06-27 00:00
    Credits
    lujiefsi
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "luci",
              "vendor": "openwrt"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "lujiefsi"
            }
          ],
          "datePublic": "2026-06-27T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "LuCI versions fail to properly encode DHCPv6 lease hostnames before rendering in status tables, allowing adjacent network attackers to inject HTML markup. Attackers can send a DHCPv6 Client FQDN containing script tags that execute in the administrator\u0027s browser when viewing DHCP lease pages."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "ADJACENT",
                "baseScore": 9.4,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              },
              "format": "CVSS"
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-12T12:07:55.788Z",
            "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
            "shortName": "VulnCheck"
          },
          "references": [
            {
              "name": "GitHub Security Advisory (GHSA-686p-p8p9-x6fh)",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://github.com/openwrt/luci/security/advisories/GHSA-686p-p8p9-x6fh"
            },
            {
              "name": "VulnCheck Advisory: LuCI DHCPv6 Lease Hostname Stored Cross-Site Scripting",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.vulncheck.com/advisories/luci-dhcpv6-lease-hostname-stored-cross-site-scripting"
            }
          ],
          "title": "LuCI DHCPv6 Lease Hostname Stored Cross-Site Scripting",
          "x_generator": {
            "engine": "vulncheck-endgame"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "assignerShortName": "VulnCheck",
        "cveId": "CVE-2026-61876",
        "datePublished": "2026-07-12T12:07:55.788Z",
        "dateReserved": "2026-07-10T21:54:26.760Z",
        "dateUpdated": "2026-07-12T12:07:55.788Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-61875 (GCVE-0-2026-61875)

    Vulnerability from cvelistv5 – Published: 2026-07-12 12:06 – Updated: 2026-07-13 14:19
    VLAI
    Title
    luci-app-upnp Stored XSS via UPnP Port Mapping Description
    Summary
    luci-app-upnp contains a stored cross-site scripting vulnerability that allows unauthenticated LAN clients to inject JavaScript via UPnP IGD AddPortMapping SOAP requests. Attackers can send malicious HTML in the NewPortMappingDescription field, which miniupnpd stores and luci-app-upnp renders without output encoding, executing the payload when administrators view the UPnP or Status pages.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Date Public
    2026-06-27 00:00
    Credits
    lujiefsi
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-61875",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-13T14:19:23.887144Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-13T14:19:53.274Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/openwrt/luci/security/advisories/GHSA-8v49-6387-7f89"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "luci",
              "vendor": "openwrt"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "lujiefsi"
            }
          ],
          "datePublic": "2026-06-27T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "luci-app-upnp contains a stored cross-site scripting vulnerability that allows unauthenticated LAN clients to inject JavaScript via UPnP IGD AddPortMapping SOAP requests. Attackers can send malicious HTML in the NewPortMappingDescription field, which miniupnpd stores and luci-app-upnp renders without output encoding, executing the payload when administrators view the UPnP or Status pages."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              },
              "format": "CVSS"
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-12T12:06:36.956Z",
            "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
            "shortName": "VulnCheck"
          },
          "references": [
            {
              "name": "GitHub Security Advisory (GHSA-8v49-6387-7f89)",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://github.com/openwrt/luci/security/advisories/GHSA-8v49-6387-7f89"
            },
            {
              "name": "VulnCheck Advisory: luci-app-upnp Stored XSS via UPnP Port Mapping Description",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.vulncheck.com/advisories/luci-app-upnp-stored-xss-via-upnp-port-mapping-description"
            }
          ],
          "title": "luci-app-upnp Stored XSS via UPnP Port Mapping Description",
          "x_generator": {
            "engine": "vulncheck-endgame"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "assignerShortName": "VulnCheck",
        "cveId": "CVE-2026-61875",
        "datePublished": "2026-07-12T12:06:36.956Z",
        "dateReserved": "2026-07-10T21:54:26.760Z",
        "dateUpdated": "2026-07-13T14:19:53.274Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-59260 (GCVE-0-2026-59260)

    Vulnerability from cvelistv5 – Published: 2026-07-12 12:06 – Updated: 2026-07-13 15:10
    VLAI
    Title
    OpenWrt luci-app-samba4 read ACL remote code execution via smbd
    Summary
    OpenWrt luci-app-samba4 read ACL grants file.exec permission on /usr/sbin/smbd, allowing authenticated delegated users to execute the Samba daemon with caller-controlled command-line arguments. Attackers can pass arbitrary Samba global options such as message command to a root smbd process, triggering command execution when SMB protocol messages are processed.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-269 - Improper Privilege Management
    Assigner
    References
    Impacted products
    Date Public
    2026-06-27 00:00
    Credits
    ZwCrazyThursday
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-59260",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-13T15:10:26.958671Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-13T15:10:35.291Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/openwrt/luci/security/advisories/GHSA-vx64-mmp7-h36c"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "luci",
              "vendor": "openwrt"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "ZwCrazyThursday"
            }
          ],
          "datePublic": "2026-06-27T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "OpenWrt luci-app-samba4 read ACL grants file.exec permission on /usr/sbin/smbd, allowing authenticated delegated users to execute the Samba daemon with caller-controlled command-line arguments. Attackers can pass arbitrary Samba global options such as message command to a root smbd process, triggering command execution when SMB protocol messages are processed."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              },
              "format": "CVSS"
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-269",
                  "description": "Improper Privilege Management",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-12T12:06:35.592Z",
            "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
            "shortName": "VulnCheck"
          },
          "references": [
            {
              "name": "GitHub Security Advisory (GHSA-vx64-mmp7-h36c)",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://github.com/openwrt/luci/security/advisories/GHSA-vx64-mmp7-h36c"
            },
            {
              "name": "VulnCheck Advisory: OpenWrt luci-app-samba4 read ACL remote code execution via smbd",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.vulncheck.com/advisories/openwrt-luci-app-samba4-read-acl-remote-code-execution-via-smbd"
            }
          ],
          "title": "OpenWrt luci-app-samba4 read ACL remote code execution via smbd",
          "x_generator": {
            "engine": "vulncheck-endgame"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "assignerShortName": "VulnCheck",
        "cveId": "CVE-2026-59260",
        "datePublished": "2026-07-12T12:06:35.592Z",
        "dateReserved": "2026-07-04T12:17:14.302Z",
        "dateUpdated": "2026-07-13T15:10:35.291Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55490 (GCVE-0-2026-55490)

    Vulnerability from cvelistv5 – Published: 2026-07-07 21:08 – Updated: 2026-07-08 13:52
    VLAI
    Title
    OpenWrt: EAD Integer Underflow → Pre-Auth Denial of Service
    Summary
    OpenWrt is a Linux operating system targeting embedded devices. Before v25.12.5, an integer underflow in handle_send_a() of the Emergency Access Daemon allows any unauthenticated attacker on the local network to crash the daemon by sending a single crafted UDP packet. The message length underflows before a bounds check and is then passed to memcpy as a very large size. This issue is fixed v25.12.5.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-191 - Integer Underflow (Wrap or Wraparound)
    Assigner
    Impacted products
    Vendor Product Version
    openwrt openwrt Affected: < 25.12.5
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55490",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-08T13:51:49.570163Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-08T13:52:07.490Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "openwrt",
              "vendor": "openwrt",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 25.12.5"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "OpenWrt is a Linux operating system targeting embedded devices. Before v25.12.5, an integer underflow in handle_send_a() of the Emergency Access Daemon allows any unauthenticated attacker on the local network to crash the daemon by sending a single crafted UDP packet. The message length underflows before a bounds check and is then passed to memcpy as a very large size. This issue is fixed v25.12.5."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-191",
                  "description": "CWE-191: Integer Underflow (Wrap or Wraparound)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-07T21:08:26.638Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/openwrt/openwrt/security/advisories/GHSA-9558-77jp-g3fw",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/openwrt/openwrt/security/advisories/GHSA-9558-77jp-g3fw"
            },
            {
              "name": "https://github.com/openwrt/openwrt/commit/63c0767f3d02f7b10b0f0b5293366bd059a08ca5",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/openwrt/openwrt/commit/63c0767f3d02f7b10b0f0b5293366bd059a08ca5"
            },
            {
              "name": "https://github.com/openwrt/openwrt/releases/tag/v25.12.5",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/openwrt/openwrt/releases/tag/v25.12.5"
            }
          ],
          "source": {
            "advisory": "GHSA-9558-77jp-g3fw",
            "discovery": "UNKNOWN"
          },
          "title": "OpenWrt: EAD Integer Underflow \u2192 Pre-Auth Denial of Service"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55490",
        "datePublished": "2026-07-07T21:08:26.638Z",
        "dateReserved": "2026-06-16T22:28:27.062Z",
        "dateUpdated": "2026-07-08T13:52:07.490Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-58652 (GCVE-0-2026-58652)

    Vulnerability from cvelistv5 – Published: 2026-07-02 12:28 – Updated: 2026-07-02 13:16
    VLAI
    Title
    luci-app-travelmate - Arbitrary Command Execution via UCI Script Parameter
    Summary
    luci-app-travelmate (and the travelmate package) contain a privilege-escalation flaw: a LuCI/rpcd session holding the luci-app-travelmate write ACL is granted config-wide UCI write access to the travelmate configuration. While the LuCI UI restricts the auto-login script picker to /etc/travelmate/*.login, this is only a frontend restriction. The backend travelmate service (running as root) reads the raw UCI 'script' and 'script_args' values and executes the configured path when the captive-portal auto-login branch (f_check() in travelmate-functions.sh) is reached. An attacker with delegated write permissions can set script to /bin/sh and script_args to attacker-controlled arguments, resulting in arbitrary command execution as root. Confirmed in luci-app-travelmate/travelmate 2.4.5-r3; the sink is still present in travelmate 2.4.6-1 and no patched version is known.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
    Assigner
    Impacted products
    Vendor Product Version
    openwrt luci-app-travelmate Affected: 2.4.5-r3 (custom)
    Create a notification for this product.
    openwrt travelmate Affected: 2.4.5-r3 (custom)
    Affected: 2.4.6-1 (custom)
    Create a notification for this product.
    Date Public
    2026-06-17 00:00
    Credits
    ZwCrazyThursday
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-58652",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-02T13:16:39.810703Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-02T13:16:44.529Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/openwrt/luci/security/advisories/GHSA-p35r-3323-6g7g"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "luci-app-travelmate",
              "vendor": "openwrt",
              "versions": [
                {
                  "status": "affected",
                  "version": "2.4.5-r3",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "travelmate",
              "vendor": "openwrt",
              "versions": [
                {
                  "status": "affected",
                  "version": "2.4.5-r3",
                  "versionType": "custom"
                },
                {
                  "status": "affected",
                  "version": "2.4.6-1",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "ZwCrazyThursday"
            }
          ],
          "datePublic": "2026-06-17T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "luci-app-travelmate (and the travelmate package) contain a privilege-escalation flaw: a LuCI/rpcd session holding the luci-app-travelmate write ACL is granted config-wide UCI write access to the travelmate configuration. While the LuCI UI restricts the auto-login script picker to /etc/travelmate/*.login, this is only a frontend restriction. The backend travelmate service (running as root) reads the raw UCI \u0027script\u0027 and \u0027script_args\u0027 values and executes the configured path when the captive-portal auto-login branch (f_check() in travelmate-functions.sh) is reached. An attacker with delegated write permissions can set script to /bin/sh and script_args to attacker-controlled arguments, resulting in arbitrary command execution as root. Confirmed in luci-app-travelmate/travelmate 2.4.5-r3; the sink is still present in travelmate 2.4.6-1 and no patched version is known."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              },
              "format": "CVSS"
            },
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-02T12:28:34.022Z",
            "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
            "shortName": "VulnCheck"
          },
          "references": [
            {
              "name": "GitHub Security Advisory (GHSA-p35r-3323-6g7g)",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://github.com/openwrt/luci/security/advisories/GHSA-p35r-3323-6g7g"
            },
            {
              "name": "https://github.com/openwrt/luci/commit/f85102548ee8325bfd581a0327b210b5f7670829",
              "tags": [
                "patch"
              ],
              "url": "https://github.com/openwrt/luci/commit/f85102548ee8325bfd581a0327b210b5f7670829"
            },
            {
              "name": "https://github.com/openwrt/luci/commit/491f1df06645c4e0757fed4a9f0622e9ce0d300c",
              "tags": [
                "patch"
              ],
              "url": "https://github.com/openwrt/luci/commit/491f1df06645c4e0757fed4a9f0622e9ce0d300c"
            },
            {
              "name": "https://github.com/openwrt/luci/commit/71d92bcc9edbc8f95858ce82a8ff5d52500005a2",
              "tags": [
                "patch"
              ],
              "url": "https://github.com/openwrt/luci/commit/71d92bcc9edbc8f95858ce82a8ff5d52500005a2"
            },
            {
              "name": "https://github.com/openwrt/luci/commit/0627b412ee3a760cc4bca9fc8a5b73de8f33ac10",
              "tags": [
                "patch"
              ],
              "url": "https://github.com/openwrt/luci/commit/0627b412ee3a760cc4bca9fc8a5b73de8f33ac10"
            },
            {
              "name": "https://github.com/openwrt/luci/commit/d6e457a1a70a9010195edeafdc0b8eb6e3b0f7f1",
              "tags": [
                "patch"
              ],
              "url": "https://github.com/openwrt/luci/commit/d6e457a1a70a9010195edeafdc0b8eb6e3b0f7f1"
            },
            {
              "name": "VulnCheck Advisory: luci-app-travelmate - Arbitrary Command Execution via UCI Script Parameter",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.vulncheck.com/advisories/luci-app-travelmate-arbitrary-command-execution-via-uci-script-parameter"
            }
          ],
          "title": "luci-app-travelmate - Arbitrary Command Execution via UCI Script Parameter",
          "x_generator": {
            "engine": "vulncheck-endgame"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "assignerShortName": "VulnCheck",
        "cveId": "CVE-2026-58652",
        "datePublished": "2026-07-02T12:28:34.022Z",
        "dateReserved": "2026-07-01T21:54:37.945Z",
        "dateUpdated": "2026-07-02T13:16:44.529Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-58000 (GCVE-0-2026-58000)

    Vulnerability from cvelistv5 – Published: 2026-06-29 18:16 – Updated: 2026-06-30 11:15 X_Open Source
    VLAI
    Title
    luci-proto-openvpn - Command Injection via cl_meta Parameter in generateKey
    Summary
    luci-proto-openvpn through 0.11.1, fixed in commit e4ff45e, contains a command injection vulnerability in the generateKey ubus method where the cl_meta parameter is interpolated into a shell command without proper escaping or quoting. An authenticated LuCI user with OpenVPN protocol configuration access can inject arbitrary shell metacharacters into cl_meta to execute commands as root via the popen function.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
    Assigner
    Impacted products
    Vendor Product Version
    openwrt luci-proto-openvpn Affected: 0 , ≤ 0.11.1 (semver)
    Unaffected: e4ff45ecbc6ad212951815c8c99b2749fbd7de6b (git)
    Create a notification for this product.
    Date Public
    2026-06-27 00:00
    Credits
    George Chen
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-58000",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-29T19:20:14.531014Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-29T19:21:29.069Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/openwrt/luci/security/advisories/GHSA-pm9w-522m-8rrh"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "luci-proto-openvpn",
              "repo": "https://github.com/openwrt/luci",
              "vendor": "openwrt",
              "versions": [
                {
                  "lessThanOrEqual": "0.11.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "e4ff45ecbc6ad212951815c8c99b2749fbd7de6b",
                  "versionType": "git"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "George Chen"
            }
          ],
          "datePublic": "2026-06-27T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "luci-proto-openvpn through 0.11.1, fixed in commit e4ff45e, contains a command injection vulnerability in the generateKey ubus method where the cl_meta parameter is interpolated into a shell command without proper escaping or quoting. An authenticated LuCI user with OpenVPN protocol configuration access can inject arbitrary shell metacharacters into cl_meta to execute commands as root via the popen function."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-30T11:15:50.568Z",
            "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
            "shortName": "VulnCheck"
          },
          "references": [
            {
              "name": "GitHub Security Advisory (GHSA-pm9w-522m-8rrh)",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://github.com/openwrt/luci/security/advisories/GHSA-pm9w-522m-8rrh"
            },
            {
              "name": "Patch Commit",
              "tags": [
                "patch"
              ],
              "url": "https://github.com/openwrt/luci/commit/e4ff45ecbc6ad212951815c8c99b2749fbd7de6b"
            },
            {
              "name": "VulnCheck Advisory: luci-proto-openvpn - Command Injection via cl_meta Parameter in generateKey",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.vulncheck.com/advisories/luci-proto-openvpn-command-injection-via-cl-meta-parameter-in-generatekey"
            }
          ],
          "tags": [
            "x_open-source"
          ],
          "title": "luci-proto-openvpn - Command Injection via cl_meta Parameter in generateKey",
          "x_generator": {
            "engine": "vulncheck-endgame"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "assignerShortName": "VulnCheck",
        "cveId": "CVE-2026-58000",
        "datePublished": "2026-06-29T18:16:04.973Z",
        "dateReserved": "2026-06-26T17:58:05.796Z",
        "dateUpdated": "2026-06-30T11:15:50.568Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-57999 (GCVE-0-2026-57999)

    Vulnerability from cvelistv5 – Published: 2026-06-29 18:16 – Updated: 2026-06-30 13:16 X_Open Source
    VLAI
    Title
    luci-app-tailscale-community - Command Injection via tailscale.do_login RPC
    Summary
    luci-app-tailscale-community contains a command injection vulnerability in the tailscale.do_login RPC method that allows authenticated users to execute arbitrary commands as root. The vulnerability exists because user-controlled loginserver and loginserver_authkey parameters are improperly quoted within a double-quoted shell command, allowing shell substitutions like $() to be evaluated by the outer shell before argument processing.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    openwrt luci-app-tailscale-community Affected: 0 , ≤ 0.11.1 (semver)
    Create a notification for this product.
    Date Public
    2026-06-11 00:00
    Credits
    lujie (@lujiefsi)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-57999",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-30T13:16:48.896086Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T13:16:53.946Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/openwrt/luci/security/advisories/GHSA-xwc5-mx58-rh35"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "luci-app-tailscale-community",
              "repo": "https://github.com/openwrt/luci",
              "vendor": "openwrt",
              "versions": [
                {
                  "lessThanOrEqual": "0.11.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "lujie (@lujiefsi)"
            }
          ],
          "datePublic": "2026-06-11T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "luci-app-tailscale-community contains a command injection vulnerability in the tailscale.do_login RPC method that allows authenticated users to execute arbitrary commands as root. The vulnerability exists because user-controlled loginserver and loginserver_authkey parameters are improperly quoted within a double-quoted shell command, allowing shell substitutions like $() to be evaluated by the outer shell before argument processing."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-30T11:15:49.876Z",
            "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
            "shortName": "VulnCheck"
          },
          "references": [
            {
              "name": "GitHub Security Advisory (GHSA-xwc5-mx58-rh35)",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://github.com/openwrt/luci/security/advisories/GHSA-xwc5-mx58-rh35"
            },
            {
              "name": "VulnCheck Advisory: luci-app-tailscale-community - Command Injection via tailscale.do_login RPC",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.vulncheck.com/advisories/luci-app-tailscale-community-command-injection-via-tailscale-do-login-rpc"
            }
          ],
          "tags": [
            "x_open-source"
          ],
          "title": "luci-app-tailscale-community - Command Injection via tailscale.do_login RPC",
          "x_generator": {
            "engine": "vulncheck-endgame"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "assignerShortName": "VulnCheck",
        "cveId": "CVE-2026-57999",
        "datePublished": "2026-06-29T18:16:04.327Z",
        "dateReserved": "2026-06-26T17:58:05.796Z",
        "dateUpdated": "2026-06-30T13:16:53.946Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-32721 (GCVE-0-2026-32721)

    Vulnerability from cvelistv5 – Published: 2026-03-19 22:46 – Updated: 2026-03-25 03:56
    VLAI
    Title
    LuCI luci-mod-network: Possible XSS attack in WiFi scan on Joining Wireless Client modal
    Summary
    LuCI is the OpenWrt Configuration Interface. Versions prior to both 24.10.5 and 25.12.0, contain a stored XSS vulnerability in the wireless scan modal, where SSID values from scan results are rendered as raw HTML without any sanitization. The wireless.js file in the luci-mod-network package passes SSIDs via a template literal to dom.append(), which processes them through innerHTML, allowing an attacker to craft a malicious SSID containing arbitrary HTML/JavaScript. Exploitation requires the user to actively open the wireless scan modal (e.g., to connect to a Wi-Fi access point or survey nearby channels), and only affects OpenWrt versions newer than 23.05/22.03 up to the patched releases (24.10.6 and 25.12.1). The issue has been fixed in version LuCI 26.072.65753~068150b.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    openwrt luci Affected: < 26.072.65753~068150b
    Create a notification for this product.
    openwrt openwrt Affected: < 24.10.6
    Affected: >= 25.12.0, < 25.12.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-32721",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-24T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-25T03:56:15.781Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "luci",
              "vendor": "openwrt",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 26.072.65753~068150b"
                }
              ]
            },
            {
              "product": "openwrt",
              "vendor": "openwrt",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 24.10.6"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 25.12.0, \u003c 25.12.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "LuCI is the OpenWrt Configuration Interface. Versions prior to both 24.10.5 and 25.12.0, contain a stored XSS vulnerability in the wireless scan modal, where SSID values from scan results are rendered as raw HTML without any sanitization. The wireless.js file in the luci-mod-network package passes SSIDs via a template literal to dom.append(), which processes them through innerHTML, allowing an attacker to craft a malicious SSID containing arbitrary HTML/JavaScript. Exploitation requires the user to actively open the wireless scan modal (e.g., to connect to a Wi-Fi access point or survey nearby channels), and only affects OpenWrt versions newer than 23.05/22.03 up to the patched releases (24.10.6 and 25.12.1). The issue has been fixed in version LuCI 26.072.65753~068150b."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-19T22:46:43.909Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/openwrt/luci/security/advisories/GHSA-vvj6-7362-pjrw",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/openwrt/luci/security/advisories/GHSA-vvj6-7362-pjrw"
            },
            {
              "name": "https://github.com/openwrt/luci/commit/068150ba5f524ef6b03817b258d31ec310053fd6",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/openwrt/luci/commit/068150ba5f524ef6b03817b258d31ec310053fd6"
            },
            {
              "name": "https://github.com/openwrt/luci/commit/cdce600aaec66f762f18d608c74cbf3abcafe1c7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/openwrt/luci/commit/cdce600aaec66f762f18d608c74cbf3abcafe1c7"
            }
          ],
          "source": {
            "advisory": "GHSA-vvj6-7362-pjrw",
            "discovery": "UNKNOWN"
          },
          "title": "LuCI luci-mod-network: Possible XSS attack in WiFi scan on Joining Wireless Client modal"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-32721",
        "datePublished": "2026-03-19T22:46:43.909Z",
        "dateReserved": "2026-03-13T15:02:00.625Z",
        "dateUpdated": "2026-03-25T03:56:15.781Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-30874 (GCVE-0-2026-30874)

    Vulnerability from cvelistv5 – Published: 2026-03-19 22:36 – Updated: 2026-03-20 18:09
    VLAI
    Title
    OpenWrt procd PATH Environment Variable Filter Bypass via Incorrect String Comparison Leads to Privilege Escalation
    Summary
    OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to 24.10.6, a vulnerability in the hotplug_call function allows an attacker to bypass environment variable filtering and inject an arbitrary PATH variable, potentially leading to privilege escalation. The function is intended to filter out sensitive environment variables like PATH when executing hotplug scripts in /etc/hotplug.d, but a bug using strcmp instead of strncmp causes the filter to compare the full environment string (e.g., PATH=/some/value) against the literal "PATH", so the match always fails. As a result, the PATH variable is never excluded, enabling an attacker to control which binaries are executed by procd-invoked scripts running with elevated privileges. This issue has been fixed in version 24.10.6.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-187 - Partial String Comparison
    • CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
    • CWE-269 - Improper Privilege Management
    Assigner
    References
    Impacted products
    Vendor Product Version
    openwrt openwrt Affected: < 24.10.6
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-30874",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-20T17:13:02.973267Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-20T18:09:36.205Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "openwrt",
              "vendor": "openwrt",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 24.10.6"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to 24.10.6, a vulnerability in the hotplug_call function allows an attacker to bypass environment variable filtering and inject an arbitrary PATH variable, potentially leading to privilege escalation. The function is intended to filter out sensitive environment variables like PATH when executing hotplug scripts in /etc/hotplug.d, but a bug using strcmp instead of strncmp causes the filter to compare the full environment string (e.g., PATH=/some/value) against the literal \"PATH\", so the match always fails. As a result, the PATH variable is never excluded, enabling an attacker to control which binaries are executed by procd-invoked scripts running with elevated privileges. This issue has been fixed in version 24.10.6."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "LOCAL",
                "baseScore": 1.8,
                "baseSeverity": "LOW",
                "privilegesRequired": "HIGH",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-187",
                  "description": "CWE-187: Partial String Comparison",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-74",
                  "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-269",
                  "description": "CWE-269: Improper Privilege Management",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-19T22:36:04.507Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/openwrt/openwrt/security/advisories/GHSA-jw28-hxcm-j934",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/openwrt/openwrt/security/advisories/GHSA-jw28-hxcm-j934"
            },
            {
              "name": "https://github.com/openwrt/procd/commit/e08cdc8562f55b9ac228a21f3f7605a18c522b81",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/openwrt/procd/commit/e08cdc8562f55b9ac228a21f3f7605a18c522b81"
            }
          ],
          "source": {
            "advisory": "GHSA-jw28-hxcm-j934",
            "discovery": "UNKNOWN"
          },
          "title": "OpenWrt procd PATH Environment Variable Filter Bypass via Incorrect String Comparison Leads to Privilege Escalation"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-30874",
        "datePublished": "2026-03-19T22:36:04.507Z",
        "dateReserved": "2026-03-06T00:04:56.699Z",
        "dateUpdated": "2026-03-20T18:09:36.205Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-30873 (GCVE-0-2026-30873)

    Vulnerability from cvelistv5 – Published: 2026-03-19 22:01 – Updated: 2026-03-21 03:26
    VLAI
    Title
    OpenWrt Project jsonpath: Memory leak when processing strings, labels, and regexp tokens
    Summary
    OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to both 24.10.6 and 25.12.1, the jp_get_token function, which performs lexical analysis by breaking input expressions into tokens, contains a memory leak vulnerability when extracting string literals, field labels, and regular expressions using dynamic memory allocation. These extracted results are stored in a jp_opcode struct, which is later copied to a newly allocated jp_opcode object via jp_alloc_op. During this transfer, if a string was previously extracted and stored in the initial jp_opcode, it is copied to the new allocation but the original memory is never freed, resulting in a memory leak. This issue has been fixed in versions 24.10.6 and 25.12.1.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-401 - Missing Release of Memory after Effective Lifetime
    Assigner
    Impacted products
    Vendor Product Version
    openwrt openwrt Affected: >= 25.12.0-rc1, < 25.12.1
    Affected: < 24.10.6
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-30873",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-21T03:25:41.581578Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-21T03:26:08.591Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "openwrt",
              "vendor": "openwrt",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 25.12.0-rc1, \u003c 25.12.1"
                },
                {
                  "status": "affected",
                  "version": "\u003c 24.10.6"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to both 24.10.6 and 25.12.1, the jp_get_token function, which performs lexical analysis by breaking input expressions into tokens, contains a memory leak vulnerability when extracting string literals, field labels, and regular expressions using dynamic memory allocation. These extracted results are stored in a jp_opcode struct, which is later copied to a newly allocated jp_opcode object via jp_alloc_op. During this transfer, if a string was previously extracted and stored in the initial jp_opcode, it is copied to the new allocation but the original memory is never freed, resulting in a memory leak. This issue has been fixed in versions 24.10.6 and 25.12.1."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "ADJACENT",
                "baseScore": 2.4,
                "baseSeverity": "LOW",
                "privilegesRequired": "HIGH",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "ACTIVE",
                "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-401",
                  "description": "CWE-401: Missing Release of Memory after Effective Lifetime",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-19T22:01:03.867Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/openwrt/openwrt/security/advisories/GHSA-rcc6-v4r6-gj4m",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/openwrt/openwrt/security/advisories/GHSA-rcc6-v4r6-gj4m"
            },
            {
              "name": "https://github.com/openwrt/openwrt/releases/tag/v24.10.6",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/openwrt/openwrt/releases/tag/v24.10.6"
            },
            {
              "name": "https://github.com/openwrt/openwrt/releases/tag/v25.12.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/openwrt/openwrt/releases/tag/v25.12.1"
            }
          ],
          "source": {
            "advisory": "GHSA-rcc6-v4r6-gj4m",
            "discovery": "UNKNOWN"
          },
          "title": "OpenWrt Project jsonpath: Memory leak when processing strings, labels, and regexp tokens"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-30873",
        "datePublished": "2026-03-19T22:01:03.867Z",
        "dateReserved": "2026-03-06T00:04:56.698Z",
        "dateUpdated": "2026-03-21T03:26:08.591Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-30872 (GCVE-0-2026-30872)

    Vulnerability from cvelistv5 – Published: 2026-03-19 21:56 – Updated: 2026-03-25 03:56
    VLAI
    Title
    OpenWrt Project has a Stack-based Buffer Overflow vulnerability via IPv6 reverse DNS lookup
    Summary
    OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to 24.10.6 and 25.12.1, the mdns daemon has a Stack-based Buffer Overflow vulnerability in the match_ipv6_addresses function, triggered when processing PTR queries for IPv6 reverse DNS domains (.ip6.arpa) received via multicast DNS on UDP port 5353. During processing, the domain name from name_buffer is copied via strcpy into a fixed 256-byte stack buffer, and then the reverse IPv6 request is extracted into a buffer of only 46 bytes (INET6_ADDRSTRLEN). Because the length of the data is never validated before this extraction, an attacker can supply input larger than 46 bytes, causing an out-of-bounds write. This allows a specially crafted DNS query to overflow the stack buffer in match_ipv6_addresses, potentially enabling remote code execution. This issue has been fixed in versions 24.10.6 and 25.12.1.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-121 - Stack-based Buffer Overflow
    Assigner
    Impacted products
    Vendor Product Version
    openwrt openwrt Affected: >= 25.12.0-rc1, < 25.12.1
    Affected: < 24.10.6
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-30872",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-24T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-25T03:56:13.660Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "openwrt",
              "vendor": "openwrt",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 25.12.0-rc1, \u003c 25.12.1"
                },
                {
                  "status": "affected",
                  "version": "\u003c 24.10.6"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to 24.10.6 and 25.12.1, the mdns daemon has a Stack-based Buffer Overflow vulnerability in the match_ipv6_addresses function, triggered when processing PTR queries for IPv6 reverse DNS domains (.ip6.arpa) received via multicast DNS on UDP port 5353. During processing, the domain name from name_buffer is copied via strcpy into a fixed 256-byte stack buffer, and then the reverse IPv6 request is extracted into a buffer of only 46 bytes (INET6_ADDRSTRLEN). Because the length of the data is never validated before this extraction, an attacker can supply input larger than 46 bytes, causing an out-of-bounds write. This allows a specially crafted DNS query to overflow the stack buffer in match_ipv6_addresses, potentially enabling remote code execution. This issue has been fixed in versions 24.10.6 and 25.12.1."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "HIGH",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.5,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-121",
                  "description": "CWE-121: Stack-based Buffer Overflow",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-19T21:56:23.472Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/openwrt/openwrt/security/advisories/GHSA-mpgh-v658-jqv5",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/openwrt/openwrt/security/advisories/GHSA-mpgh-v658-jqv5"
            },
            {
              "name": "https://github.com/openwrt/openwrt/releases/tag/v24.10.6",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/openwrt/openwrt/releases/tag/v24.10.6"
            },
            {
              "name": "https://github.com/openwrt/openwrt/releases/tag/v25.12.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/openwrt/openwrt/releases/tag/v25.12.1"
            }
          ],
          "source": {
            "advisory": "GHSA-mpgh-v658-jqv5",
            "discovery": "UNKNOWN"
          },
          "title": "OpenWrt Project has a Stack-based Buffer Overflow vulnerability via IPv6 reverse DNS lookup"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-30872",
        "datePublished": "2026-03-19T21:56:23.472Z",
        "dateReserved": "2026-03-06T00:04:56.698Z",
        "dateUpdated": "2026-03-25T03:56:13.660Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-30871 (GCVE-0-2026-30871)

    Vulnerability from cvelistv5 – Published: 2026-03-19 21:49 – Updated: 2026-03-25 03:56
    VLAI
    Title
    OpenWrt Project has Stack-based Buffer Overflow in DNS PTR Query
    Summary
    OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to 24.10.6 and 25.12.1, the mdns daemon has a Stack-based Buffer Overflow vulnerability in the parse_question function. The issue is triggered by PTR queries for reverse DNS domains (.in-addr.arpa and .ip6.arpa). DNS packets received on UDP port 5353 are expanded by dn_expand into an 8096-byte global buffer (name_buffer), which is then copied via an unbounded strcpy into a fixed 256-byte stack buffer when handling TYPE_PTR queries. The overflow is possible because dn_expand converts non-printable ASCII bytes (e.g., 0x01) into multi-character octal representations (e.g., \001), significantly inflating the expanded name beyond the stack buffer's capacity. A crafted DNS packet can exploit this expansion behavior to overflow the stack buffer, making the vulnerability reachable through normal multicast DNS packet processing. This issue has been fixed in versions 24.10.6 and 25.12.1.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-121 - Stack-based Buffer Overflow
    Assigner
    Impacted products
    Vendor Product Version
    openwrt openwrt Affected: < 24.10.6
    Affected: >= 25.12.0-rc1, < 25.12.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-30871",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-24T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-25T03:56:12.627Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "openwrt",
              "vendor": "openwrt",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 24.10.6"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 25.12.0-rc1, \u003c 25.12.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to 24.10.6 and 25.12.1, the mdns daemon has a Stack-based Buffer Overflow vulnerability in the parse_question function. The issue is  triggered by PTR queries for reverse DNS domains (.in-addr.arpa and .ip6.arpa). DNS packets received on UDP port 5353 are expanded by dn_expand into an 8096-byte global buffer (name_buffer), which is then copied via an unbounded strcpy into a fixed 256-byte stack buffer when handling TYPE_PTR queries. The overflow is possible because dn_expand converts non-printable ASCII bytes (e.g., 0x01) into multi-character octal representations (e.g., \\001), significantly inflating the expanded name beyond the stack buffer\u0027s capacity. A crafted DNS packet can exploit this expansion behavior to overflow the stack buffer, making the vulnerability reachable through normal multicast DNS packet processing. This issue has been fixed in versions 24.10.6 and 25.12.1."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "HIGH",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.5,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-121",
                  "description": "CWE-121: Stack-based Buffer Overflow",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-19T21:49:50.876Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/openwrt/openwrt/security/advisories/GHSA-7c3j-f7w2-p8f6",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/openwrt/openwrt/security/advisories/GHSA-7c3j-f7w2-p8f6"
            },
            {
              "name": "https://github.com/openwrt/openwrt/releases/tag/v24.10.6",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/openwrt/openwrt/releases/tag/v24.10.6"
            },
            {
              "name": "https://github.com/openwrt/openwrt/releases/tag/v25.12.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/openwrt/openwrt/releases/tag/v25.12.1"
            }
          ],
          "source": {
            "advisory": "GHSA-7c3j-f7w2-p8f6",
            "discovery": "UNKNOWN"
          },
          "title": "OpenWrt Project has Stack-based Buffer Overflow in DNS PTR Query"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-30871",
        "datePublished": "2026-03-19T21:49:50.876Z",
        "dateReserved": "2026-03-06T00:04:56.698Z",
        "dateUpdated": "2026-03-25T03:56:12.627Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-20435 (GCVE-0-2026-20435)

    Vulnerability from cvelistv5 – Published: 2026-03-02 08:39 – Updated: 2026-03-30 13:05
    VLAI
    Summary
    In preloader, there is a possible read of device unique identifiers due to a logic error. This could lead to local information disclosure, if an attacker has physical access to the device, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS10607099; Issue ID: MSV-6118.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-522 - Insufficiently Protected Credentials
    Assigner
    Impacted products
    Vendor Product Version
    MediaTek, Inc. MediaTek chipset Affected: MT2737
    Affected: MT6739
    Affected: MT6761
    Affected: MT6765
    Affected: MT6768
    Affected: MT6781
    Affected: MT6789
    Affected: MT6813
    Affected: MT6833
    Affected: MT6853
    Affected: MT6855
    Affected: MT6877
    Affected: MT6878
    Affected: MT6879
    Affected: MT6880
    Affected: MT6885
    Affected: MT6886
    Affected: MT6890
    Affected: MT6893
    Affected: MT6895
    Affected: MT6897
    Affected: MT6983
    Affected: MT6985
    Affected: MT6989
    Affected: MT6990
    Affected: MT6993
    Affected: MT8169
    Affected: MT8186
    Affected: MT8188
    Affected: MT8370
    Affected: MT8390
    Affected: MT8676
    Affected: MT8678
    Affected: MT8696
    Affected: MT8793
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "PHYSICAL",
                  "availabilityImpact": "NONE",
                  "baseScore": 4.6,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-20435",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-02T13:35:00.235194Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-02T13:35:04.764Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "MediaTek chipset",
              "vendor": "MediaTek, Inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "MT2737"
                },
                {
                  "status": "affected",
                  "version": "MT6739"
                },
                {
                  "status": "affected",
                  "version": "MT6761"
                },
                {
                  "status": "affected",
                  "version": "MT6765"
                },
                {
                  "status": "affected",
                  "version": "MT6768"
                },
                {
                  "status": "affected",
                  "version": "MT6781"
                },
                {
                  "status": "affected",
                  "version": "MT6789"
                },
                {
                  "status": "affected",
                  "version": "MT6813"
                },
                {
                  "status": "affected",
                  "version": "MT6833"
                },
                {
                  "status": "affected",
                  "version": "MT6853"
                },
                {
                  "status": "affected",
                  "version": "MT6855"
                },
                {
                  "status": "affected",
                  "version": "MT6877"
                },
                {
                  "status": "affected",
                  "version": "MT6878"
                },
                {
                  "status": "affected",
                  "version": "MT6879"
                },
                {
                  "status": "affected",
                  "version": "MT6880"
                },
                {
                  "status": "affected",
                  "version": "MT6885"
                },
                {
                  "status": "affected",
                  "version": "MT6886"
                },
                {
                  "status": "affected",
                  "version": "MT6890"
                },
                {
                  "status": "affected",
                  "version": "MT6893"
                },
                {
                  "status": "affected",
                  "version": "MT6895"
                },
                {
                  "status": "affected",
                  "version": "MT6897"
                },
                {
                  "status": "affected",
                  "version": "MT6983"
                },
                {
                  "status": "affected",
                  "version": "MT6985"
                },
                {
                  "status": "affected",
                  "version": "MT6989"
                },
                {
                  "status": "affected",
                  "version": "MT6990"
                },
                {
                  "status": "affected",
                  "version": "MT6993"
                },
                {
                  "status": "affected",
                  "version": "MT8169"
                },
                {
                  "status": "affected",
                  "version": "MT8186"
                },
                {
                  "status": "affected",
                  "version": "MT8188"
                },
                {
                  "status": "affected",
                  "version": "MT8370"
                },
                {
                  "status": "affected",
                  "version": "MT8390"
                },
                {
                  "status": "affected",
                  "version": "MT8676"
                },
                {
                  "status": "affected",
                  "version": "MT8678"
                },
                {
                  "status": "affected",
                  "version": "MT8696"
                },
                {
                  "status": "affected",
                  "version": "MT8793"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In preloader, there is a possible read of device unique identifiers due to a logic error. This could lead to local information disclosure, if an attacker has physical access to the device, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS10607099; Issue ID: MSV-6118."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-522",
                  "description": "CWE-522 Insufficiently Protected Credentials",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-30T13:05:38.348Z",
            "orgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374",
            "shortName": "MediaTek"
          },
          "references": [
            {
              "url": "https://corp.mediatek.com/product-security-bulletin/March-2026"
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374",
        "assignerShortName": "MediaTek",
        "cveId": "CVE-2026-20435",
        "datePublished": "2026-03-02T08:39:12.070Z",
        "dateReserved": "2025-11-03T01:30:59.011Z",
        "dateUpdated": "2026-03-30T13:05:38.348Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-20430 (GCVE-0-2026-20430)

    Vulnerability from cvelistv5 – Published: 2026-03-02 08:39 – Updated: 2026-03-30 13:05
    VLAI
    Summary
    In wlan AP FW, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote (proximal/adjacent) escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00467553; Issue ID: MSV-5151.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    MediaTek, Inc. MediaTek chipset Affected: MT6890
    Affected: MT7915
    Affected: MT7916
    Affected: MT7981
    Affected: MT7986
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "ADJACENT_NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 8.8,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-20430",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-02T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-03T04:55:59.512Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "MediaTek chipset",
              "vendor": "MediaTek, Inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "MT6890"
                },
                {
                  "status": "affected",
                  "version": "MT7915"
                },
                {
                  "status": "affected",
                  "version": "MT7916"
                },
                {
                  "status": "affected",
                  "version": "MT7981"
                },
                {
                  "status": "affected",
                  "version": "MT7986"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In wlan AP FW, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote (proximal/adjacent) escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00467553; Issue ID: MSV-5151."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-787",
                  "description": "CWE-787 Out-of-bounds Write",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-30T13:05:32.389Z",
            "orgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374",
            "shortName": "MediaTek"
          },
          "references": [
            {
              "url": "https://corp.mediatek.com/product-security-bulletin/March-2026"
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374",
        "assignerShortName": "MediaTek",
        "cveId": "CVE-2026-20430",
        "datePublished": "2026-03-02T08:39:08.082Z",
        "dateReserved": "2025-11-03T01:30:59.011Z",
        "dateUpdated": "2026-03-30T13:05:32.389Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }