PT-2026-57559 · Openwrt · Luci-App-Upnp

Lujiefsi

·

Published

2026-07-12

·

Updated

2026-07-12

·

CVE-2026-61875

CVSS v3.1

8.8

High

VectorAV:A/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions luci-app-upnp (affected versions not specified)
Description Stored cross-site scripting occurs when unauthenticated LAN clients inject JavaScript through UPnP IGD AddPortMapping SOAP requests. The issue arises because the NewPortMappingDescription field can contain malicious HTML, which is stored by miniupnpd and subsequently rendered by luci-app-upnp without output encoding. This allows the payload to execute when administrators access the UPnP or Status pages.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-61875

Affected Products

Luci-App-Upnp