CVE-2026-61875: Stored Cross-Site Scripting in luci-app-upnp via UPnP IGD AddPortMapping SOAP Requests
A stored cross-site scripting vulnerability exists in luci-app-upnp, allowing unauthenticated LAN clients to inject JavaScript via UPnP IGD AddPortMapping SOAP requests. This vulnerability has a CVSS score of 8.8 and is considered high severity. Affected users should update luci-app-upnp to the latest version.