CVE-2026-61875

high

Description

luci-app-upnp contains a stored cross-site scripting vulnerability that allows unauthenticated LAN clients to inject JavaScript via UPnP IGD AddPortMapping SOAP requests. Attackers can send malicious HTML in the NewPortMappingDescription field, which miniupnpd stores and luci-app-upnp renders without output encoding, executing the payload when administrators view the UPnP or Status pages.

References

https://www.vulncheck.com/advisories/luci-app-upnp-stored-xss-via-upnp-port-mapping-description

https://github.com/openwrt/luci/security/advisories/GHSA-8v49-6387-7f89

Details

Source: Mitre, NVD

Published: 2026-07-12

Updated: 2026-07-12

Risk Information

CVSS v2

Base Score: 8.3

Vector: CVSS2#AV:A/AC:L/Au:N/C:C/I:C/A:C

Severity: High

CVSS v3

Base Score: 8.8

Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Severity: High

CVSS v4

Base Score: 8.7

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

Severity: High