CVE-2026-61876
Received Received - Intake

LuCI DHCPv6 Hostname HTML Injection Vulnerability

Vulnerability report for CVE-2026-61876, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-12

Last updated on: 2026-07-12

Assigner: VulnCheck

Description

LuCI versions fail to properly encode DHCPv6 lease hostnames before rendering in status tables, allowing adjacent network attackers to inject HTML markup. Attackers can send a DHCPv6 Client FQDN containing script tags that execute in the administrator's browser when viewing DHCP lease pages.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-12
Last Modified
2026-07-12
Generated
2026-07-12
AI Q&A
2026-07-12
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
openwrt luci to 3.0.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-61876 is a stored cross-site scripting (XSS) vulnerability in LuCI, the web interface used by OpenWrt. It occurs because LuCI fails to properly encode DHCPv6 lease hostnames before displaying them in status tables.

An attacker on the same local network can send a DHCPv6 Client Fully Qualified Domain Name (FQDN) containing malicious HTML or script tags. This malicious hostname is stored and later rendered as raw HTML in the administrator's browser when viewing DHCP lease pages, causing the injected scripts to execute.

This vulnerability allows execution of arbitrary code in the context of the administrator's browser session without requiring authentication.

Compliance Impact

CVE-2026-61876 is a high-severity stored cross-site scripting (XSS) vulnerability that allows attackers on an adjacent network to execute arbitrary scripts in the administrator's browser. This can lead to unauthorized access, modification, or disclosure of sensitive configuration data and administrative actions.

Such unauthorized access and potential data compromise could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and secure administrative access controls.

Specifically, the vulnerability could lead to breaches of confidentiality, integrity, and availability of network management data, which are critical aspects covered by these regulations.

Impact Analysis

This vulnerability can have severe impacts including allowing an attacker to execute arbitrary scripts in the administrator's browser session.

  • The attacker can perform actions on behalf of the administrator.
  • They may modify device configurations or settings.
  • It can enable pivoting to other administrative requests or functions.

Because the attacker only needs access to the local network and no authentication, the risk is significant, especially in environments where network access is shared or not tightly controlled.

Detection Guidance

This vulnerability can be detected by inspecting DHCPv6 lease hostnames for malicious HTML or script tags injected via DHCPv6 Client FQDNs. Since the odhcpd service stores lease hostnames in the file /tmp/odhcpd.leases, examining this file for suspicious entries is a key step.

A practical approach is to check the contents of /tmp/odhcpd.leases for any hostnames containing HTML markup or script tags.

  • Run the command: cat /tmp/odhcpd.leases | grep -i '<script>'
  • Alternatively, search for any HTML tags with: cat /tmp/odhcpd.leases | grep -E '<.*?>'

Additionally, monitoring the LuCI web interface pages (Status > Overview or Network > DHCP and DNS) for unexpected script execution or unusual behavior when viewing DHCP leases can help detect exploitation.

Mitigation Strategies

Immediate mitigation involves preventing the execution of injected scripts by ensuring that DHCPv6 lease hostnames are properly encoded before rendering in the LuCI web interface.

Specifically, the remediation is to modify the LuCI code to wrap untrusted hostname or IP strings in safe DOM methods such as document.createTextNode() or use array syntax before passing them to DOM rendering functions, thereby preventing raw HTML parsing and script execution.

Affected files include modules/luci-mod-status/htdocs/luci-static/resources/view/status/include/40_dhcp.js and modules/luci-mod-network/htdocs/luci-static/resources/view/network/dhcp.js, where this fix should be applied.

Until a patched version is applied, restrict access to the local network to trusted users only, as exploitation requires adjacent network access.

Also, monitor and clean any malicious entries in /tmp/odhcpd.leases to remove injected hostnames.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-61876. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart