Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
NVD Vulnerability Details :
CVE-2026-32721
Analyzed
More InfoOfficial Page
Source-security-advisories@github.com
View Known Exploited Vulnerability (KEV) details
Published At-19 Mar, 2026 | 23:16
Updated At-14 Apr, 2026 | 17:49

LuCI is the OpenWrt Configuration Interface. Versions prior to both 24.10.5 and 25.12.0, contain a stored XSS vulnerability in the wireless scan modal, where SSID values from scan results are rendered as raw HTML without any sanitization. The wireless.js file in the luci-mod-network package passes SSIDs via a template literal to dom.append(), which processes them through innerHTML, allowing an attacker to craft a malicious SSID containing arbitrary HTML/JavaScript. Exploitation requires the user to actively open the wireless scan modal (e.g., to connect to a Wi-Fi access point or survey nearby channels), and only affects OpenWrt versions newer than 23.05/22.03 up to the patched releases (24.10.6 and 25.12.1). The issue has been fixed in version LuCI 26.072.65753~068150b.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.18.6HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Primary3.14.8MEDIUM
CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 8.6
Base severity: HIGH
Vector:
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Type: Primary
Version: 3.1
Base score: 4.8
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CPE Matches
OpenWrt
openwrt
>>luci>>Versions before 26.072.65753-068150b(exclusive)
cpe:2.3:a:openwrt:luci:*:*:*:*:*:*:*:*
OpenWrt
openwrt
>>openwrt>>Versions before 24.10.6(exclusive)
cpe:2.3:o:openwrt:openwrt:*:*:*:*:*:*:*:*
OpenWrt
openwrt
>>openwrt>>Versions from 25.12.0(inclusive) to 25.12.1(exclusive)
cpe:2.3:o:openwrt:openwrt:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-79Primarysecurity-advisories@github.com
CWE ID: CWE-79
Type: Primary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/openwrt/luci/commit/068150ba5f524ef6b03817b258d31ec310053fd6security-advisories@github.com
Patch
https://github.com/openwrt/luci/commit/cdce600aaec66f762f18d608c74cbf3abcafe1c7security-advisories@github.com
Patch
https://github.com/openwrt/luci/security/advisories/GHSA-vvj6-7362-pjrwsecurity-advisories@github.com
Patch
Vendor Advisory
Hyperlink: https://github.com/openwrt/luci/commit/068150ba5f524ef6b03817b258d31ec310053fd6
Source: security-advisories@github.com
Resource:
Patch
Hyperlink: https://github.com/openwrt/luci/commit/cdce600aaec66f762f18d608c74cbf3abcafe1c7
Source: security-advisories@github.com
Resource:
Patch
Hyperlink: https://github.com/openwrt/luci/security/advisories/GHSA-vvj6-7362-pjrw
Source: security-advisories@github.com
Resource:
Patch
Vendor Advisory
Change History
0Changes found
Details not found