CVE-2026-32721

Name of the Vulnerable Software and Affected Versions LuCI versions prior to 24.10.5 and 25.12.0

Description LuCI, the OpenWrt Configuration Interface, is affected by a stored Cross-Site Scripting (XSS) issue within the wireless scan modal. The system renders SSID values from scan results as raw HTML without proper sanitization. The wireless.js file within the luci-mod-network package utilizes a template literal to pass SSIDs to dom.append(), which then processes them through innerHTML. This allows an attacker to create a malicious SSID containing arbitrary HTML/JavaScript code. Exploitation requires a user to actively open the wireless scan modal, such as when connecting to a Wi-Fi access point or surveying nearby channels. The issue impacts OpenWrt versions newer than 23.05/22.03 up to the patched releases (24.10.6 and 25.12.1). The vulnerability is triggered by crafted SSIDs in the wireless scan modal.

Recommendations LuCI versions prior to 24.10.5 should be updated to version 24.10.5 or later. LuCI versions prior to 25.12.0 should be updated to version 25.12.0 or later.