CVE-2026-32721
Received Received - Intake
Stored XSS in LuCI Wireless Scan Modal Allows Code Injection

Publication date: 2026-03-19

Last updated on: 2026-04-14

Assigner: GitHub, Inc.

Description
LuCI is the OpenWrt Configuration Interface. Versions prior to both 24.10.5 and 25.12.0, contain a stored XSS vulnerability in the wireless scan modal, where SSID values from scan results are rendered as raw HTML without any sanitization. The wireless.js file in the luci-mod-network package passes SSIDs via a template literal to dom.append(), which processes them through innerHTML, allowing an attacker to craft a malicious SSID containing arbitrary HTML/JavaScript. Exploitation requires the user to actively open the wireless scan modal (e.g., to connect to a Wi-Fi access point or survey nearby channels), and only affects OpenWrt versions newer than 23.05/22.03 up to the patched releases (24.10.6 and 25.12.1). The issue has been fixed in version LuCI 26.072.65753~068150b.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-19
Last Modified
2026-04-14
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32721
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
openwrt openwrt to 24.10.6 (exc)
openwrt openwrt From 25.12.0 (inc) to 25.12.1 (exc)
openwrt luci to 26.072.65753-068150b (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a stored Cross-Site Scripting (XSS) issue in the LuCI OpenWrt Configuration Interface. Specifically, in versions prior to 24.10.5 and 25.12.0, the wireless scan modal renders SSID values from scan results as raw HTML without sanitization. The wireless.js file passes SSIDs via a template literal to dom.append(), which uses innerHTML, allowing attackers to craft malicious SSIDs containing arbitrary HTML or JavaScript code. Exploitation requires the user to open the wireless scan modal, such as when connecting to Wi-Fi or scanning channels.

Impact Analysis

This vulnerability can lead to serious security impacts including the execution of arbitrary code in the context of the LuCI interface. Because the vulnerability allows injection of malicious HTML or JavaScript, it can result in compromise of confidentiality, integrity, and availability of the system. The CVSS score of 8.6 indicates high severity, with potential impacts such as data theft, unauthorized actions, or denial of service.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade your LuCI installation to a patched version. The vulnerability is fixed in LuCI version 26.072.65753~068150b and in OpenWrt releases 24.10.6 and 25.12.1 or later.

Until you can upgrade, avoid opening the wireless scan modal in LuCI, as exploitation requires active user interaction with this feature.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32721. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart