Executive Summary

A stored cross-site scripting vulnerability exists in luci-app-upnp, a package used in OpenWRT, which allows unauthenticated LAN clients to inject malicious JavaScript via UPnP IGD AddPortMapping SOAP requests. This vulnerability, tracked as CVE-2026-61875, has a CVSS score of 8.8 and is considered high severity. The vulnerability affects the OpenWRT product 'luci'.

Technical Analysis

The vulnerability class of CVE-2026-61875 is stored cross-site scripting (XSS). The attack vector involves an unauthenticated LAN client sending a malicious SOAP request to the UPnP IGD AddPortMapping endpoint. Specifically, the attacker can inject malicious HTML in the NewPortMappingDescription field. The miniupnpd service stores this input, and luci-app-upnp renders it without proper output encoding. When an administrator views the UPnP or Status pages, the payload is executed.

How It Gets Exploited

An attacker on the same network as the device running luci-app-upnp can send a crafted UPnP IGD AddPortMapping SOAP request with a malicious NewPortMappingDescription field. For example, an attacker might send a request with a description field containing JavaScript code. The miniupnpd service stores this input, and when an administrator views the UPnP or Status pages in the luci-app-upnp interface, the JavaScript payload is executed. This allows the attacker to perform actions on behalf of the administrator or steal sensitive information.

Impact Assessment

The affected product is 'luci' from OpenWRT, specifically the luci-app-upnp package. The vulnerability has a CVSS score of 8.8, indicating high severity. Successful exploitation can lead to confidentiality and integrity impacts, potentially allowing attackers to execute arbitrary JavaScript code in the context of an administrator's session.

Recommended Actions

To mitigate this vulnerability, users should update the luci-app-upnp package to the latest version available from OpenWRT. Additionally, network administrators should ensure that only trusted devices and users have access to the LAN where the vulnerable device resides. Implementing a Web Application Firewall (WAF) rule to detect and block suspicious UPnP traffic may also help prevent exploitation.

Sources

- National Vulnerability Database (NVD) - OpenWRT Security Advisories - Vulncheck Advisories