Home

Description

A vulnerability was found in Luxul XWR-600 up to 4.0.1. The affected element is an unknown function of the component Web Administration Interface. The manipulation of the argument Guest Network/Wireless Profile SSID results in cross site scripting. The attack may be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond with a technical statement.

PUBLISHED Reserved 2026-01-10 | Published 2026-01-11 | Updated 2026-01-12 | Assigner VulDB




MEDIUM: 4.8CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
LOW: 2.4CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R
LOW: 2.4CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R
3.3AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR

Problem types

Cross Site Scripting

Code Injection

Product status

4.0.0
affected

4.0.1
affected

Timeline

2026-01-10:Advisory disclosed
2026-01-10:VulDB entry created
2026-01-10:VulDB entry last update

Credits

AppSecHuntr (VulDB User) reporter

References

vuldb.com/?id.340435 (VDB-340435 | Luxul XWR-600 Web Administration cross site scripting) vdb-entry technical-description

vuldb.com/?ctiid.340435 (VDB-340435 | CTI Indicators (IOB, IOC, TTP, IOA)) signature permissions-required

vuldb.com/?submit.727924 (Submit #727924 | Luxul XWR-600 Router Firmware Ver: 4.0.1 Cross Site Scripting) third-party-advisory

docs.google.com/...5lT0b-KE9m6xq8BY6eSixv6SgsGL1e8QQzeOkq5c/ exploit

cve.org (CVE-2025-15505)

nvd.nist.gov (CVE-2025-15505)

Download JSON