Home

Description

luci-app-upnp contains a stored cross-site scripting vulnerability that allows unauthenticated LAN clients to inject JavaScript via UPnP IGD AddPortMapping SOAP requests. Attackers can send malicious HTML in the NewPortMappingDescription field, which miniupnpd stores and luci-app-upnp renders without output encoding, executing the payload when administrators view the UPnP or Status pages.

PUBLISHED Reserved 2026-07-10 | Published 2026-07-12 | Updated 2026-07-14 | Assigner VulnCheck




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
HIGH: 8.8CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Problem types

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

Default status
affected

Credits

lujiefsi reporter

References

github.com/...t/luci/security/advisories/GHSA-8v49-6387-7f89 exploit

github.com/...t/luci/security/advisories/GHSA-8v49-6387-7f89 (GitHub Security Advisory (GHSA-8v49-6387-7f89)) vendor-advisory

www.vulncheck.com/...d-xss-via-upnp-port-mapping-description (VulnCheck Advisory: luci-app-upnp Stored XSS via UPnP Port Mapping Description) third-party-advisory

cve.org (CVE-2026-61875)

nvd.nist.gov (CVE-2026-61875)

Download JSON