Luci

luci

Vendor: Openwrt • 6 CVEs

CVEs (6)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2026-32721 1Openwrt 2Luci Openwrt Apr 14, 2026 Mar 19, 2026 N/A· v4 4.8 MEDIUM· v3 N/A· v2 LuCI is the OpenWrt Configuration Interface. Versions prior to both 24.10.5 and 25.12.0, contain a stored XSS vulnerability in the wireless scan modal, where SSID values from scan results are rendered as raw HTML without...Show more LuCI is the OpenWrt Configuration Interface. Versions prior to both 24.10.5 and 25.12.0, contain a stored XSS vulnerability in the wireless scan modal, where SSID values from scan results are rendered as raw HTML without any sanitization. The wireless.js file in the luci-mod-network package passes SSIDs via a template literal to dom.append(), which processes them through innerHTML, allowing an attacker to craft a malicious SSID containing arbitrary HTML/JavaScript. Exploitation requires the user to actively open the wireless scan modal (e.g., to connect to a Wi-Fi access point or survey nearby channels), and only affects OpenWrt versions newer than 23.05/22.03 up to the patched releases (24.10.6 and 25.12.1). The issue has been fixed in version LuCI 26.072.65753~068150b.Show less
CVE-2023-24181 1Openwrt 1Luci Feb 11, 2025 Apr 10, 2023 N/A· v4 5.4 MEDIUM· v3 N/A· v2 LuCI openwrt-22.03 branch git-22.361.69894-438c598 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /openvpn/pageswitch.htm.
CVE-2022-41435 1Openwrt 1Luci May 5, 2025 Nov 3, 2022 N/A· v4 5.4 MEDIUM· v3 N/A· v2 OpenWRT LuCI version git-22.140.66206-02913be was discovered to contain a stored cross-site scripting (XSS) vulnerability in the component /system/sshkeys.js. This vulnerability allows attackers to execute arbitrary web...Show more OpenWRT LuCI version git-22.140.66206-02913be was discovered to contain a stored cross-site scripting (XSS) vulnerability in the component /system/sshkeys.js. This vulnerability allows attackers to execute arbitrary web scripts or HTML via crafted public key comments.Show less
CVE-2021-27821 1Openwrt 1Luci Nov 21, 2024 May 25, 2021 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 The Web Interface for OpenWRT LuCI version 19.07 and lower has been discovered to have a cross-site scripting vulnerability which can lead to attackers carrying out arbitrary code execution.
CVE-2020-10871 1Openwrt 1Luci Nov 21, 2024 Mar 23, 2020 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 In OpenWrt LuCI git-20.x, remote unauthenticated attackers can retrieve the list of installed packages and services. NOTE: the vendor disputes the significance of this report because, for instances reachable by an unauth...Show more In OpenWrt LuCI git-20.x, remote unauthenticated attackers can retrieve the list of installed packages and services. NOTE: the vendor disputes the significance of this report because, for instances reachable by an unauthenticated actor, the same information is available in other (more complex) ways, and there is no plan to restrict the information furtherShow less
CVE-2019-12272 1Openwrt 1Luci Nov 21, 2024 May 23, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 In OpenWrt LuCI through 0.10, the endpoints admin/status/realtime/bandwidth_status and admin/status/realtime/wireless_status of the web application are affected by a command injection vulnerability.