๐Ÿ” CVE Alert

CVE-2026-62948

CRITICAL 9.6

OpenWrt odhcpd/LuCI: unauthenticated DHCPv6 client can inject lease-file lines via FQDN hostname โ†’ stored XSS in the LuCI admin UI

CVSS Score
9.6
EPSS Score
0.0%
EPSS Percentile
0th

OpenWrt is a Linux operating system targeting embedded devices. Prior to 25.12.5, odhcpd writes a DHCPv6 client FQDN option 39 hostname into /tmp/odhcpd.leases through src/statefiles.c statefiles_write_state6() and statefiles_write_state4() without escaping, allowing newline injection of forged lease lines that LuCI rpcd-mod-luci getDHCPLeases displays through htdocs/luci-static/resources/view/status/include/40_dhcp.js and htdocs/luci-static/resources/luci.js dom.append as live HTML in the Active DHCPv6 Leases admin page. This vulnerability is fixed in 25.12.5.

CWE CWE-79 CWE-117 CWE-150
Vendor openwrt
Product openwrt
Published Jul 15, 2026
Last Updated Jul 15, 2026
Stay Ahead of the Next One

Get instant alerts for openwrt openwrt

Be the first to know when new critical vulnerabilities affecting openwrt openwrt are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Affected Versions

openwrt / openwrt
< 25.12.5

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/openwrt/openwrt/security/advisories/GHSA-hhmc-92hw-535f github.com: https://github.com/openwrt/odhcpd/pull/404 github.com: https://github.com/openwrt/luci/commit/55379d04fcc3c605003a5001d6135cf02ae6048a github.com: https://github.com/openwrt/odhcpd/commit/68f382690bfaec56d5b1f31c3c31c48bcb642e3a github.com: https://github.com/openwrt/openwrt/releases/tag/v25.12.5