CVE-2026-61875
Received Received - Intake

Stored XSS in luci-app-upnp via UPnP IGD AddPortMapping

Vulnerability report for CVE-2026-61875, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-12

Last updated on: 2026-07-12

Assigner: VulnCheck

Description

luci-app-upnp contains a stored cross-site scripting vulnerability that allows unauthenticated LAN clients to inject JavaScript via UPnP IGD AddPortMapping SOAP requests. Attackers can send malicious HTML in the NewPortMappingDescription field, which miniupnpd stores and luci-app-upnp renders without output encoding, executing the payload when administrators view the UPnP or Status pages.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-12
Last Modified
2026-07-12
Generated
2026-07-12
AI Q&A
2026-07-12
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
openwrt luci-app-upnp From 8.7 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-61875 is a stored cross-site scripting (XSS) vulnerability in the luci-app-upnp package for OpenWrt. An unauthenticated attacker on the local network can exploit this by sending a malicious UPnP IGD AddPortMapping SOAP request containing JavaScript or HTML code in the NewPortMappingDescription field.

This malicious input is stored by the miniupnpd service and later rendered by luci-app-upnp without proper output encoding. When an administrator views the UPnP or Status pages in the LuCI web interface, the injected script executes with the administrator's privileges.

The root cause is improper handling of untrusted data in frontend JavaScript files, where the description is inserted directly into the DOM using innerHTML, allowing script execution.

Impact Analysis

This vulnerability can have a high impact because it allows an attacker on the local network to execute arbitrary JavaScript code in the context of the administrator's browser session.

  • Attackers can steal sensitive data accessible to the administrator.
  • Attackers can hijack administrator sessions.
  • The attack requires no authentication but does require the attacker to be on the LAN and the administrator to view the affected pages.
Detection Guidance

This vulnerability can be detected by monitoring UPnP IGD AddPortMapping SOAP requests on your local network for suspicious or malicious content in the NewPortMappingDescription field.

Specifically, you can capture and inspect network traffic to identify SOAP requests that contain embedded HTML or JavaScript code in the NewPortMappingDescription parameter.

  • Use a network packet capture tool like tcpdump or Wireshark to capture UPnP traffic on the LAN interface.
  • Example tcpdump command to capture UPnP traffic (typically on UDP port 1900 or TCP port 5000):
  • tcpdump -i <interface> -A 'udp port 1900 or tcp port 5000' | grep -i NewPortMappingDescription
  • Analyze captured packets for suspicious JavaScript or HTML code embedded in the NewPortMappingDescription field.

Additionally, reviewing the miniupnpd lease files for unexpected or suspicious entries in the port mapping descriptions can help detect exploitation attempts.

Mitigation Strategies

To mitigate this vulnerability immediately, restrict access to the UPnP service to trusted devices only, ideally by limiting LAN access or disabling UPnP if it is not required.

Apply any available patches or updates for the luci-app-upnp package that address this stored cross-site scripting vulnerability.

Avoid viewing the UPnP or Status pages in the LuCI web interface from untrusted networks or devices until the vulnerability is fixed.

Consider monitoring and filtering SOAP AddPortMapping requests to detect and block malicious payloads targeting the NewPortMappingDescription field.

Compliance Impact

The vulnerability allows unauthenticated attackers on the local network to execute malicious JavaScript in the context of the administrator's browser, potentially leading to data theft or session hijacking.

Such unauthorized access and potential data compromise could negatively impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding sensitive information and preventing unauthorized access.

However, the provided information does not explicitly discuss compliance implications or specific regulatory impacts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-61875. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart