<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Luci-App-Upnp - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/luci-app-upnp/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Sun, 12 Jul 2026 12:25:52 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/luci-app-upnp/feed.xml" rel="self" type="application/rss+xml"/><item><title>CVE-2026-61875: Stored Cross-Site Scripting in OpenWrt luci-app-upnp</title><link>https://feed.craftedsignal.io/briefs/2026-07-cve-2026-61875-luci-app-upnp-xss/</link><pubDate>Sun, 12 Jul 2026 12:25:52 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cve-2026-61875-luci-app-upnp-xss/</guid><description>CVE-2026-61875 details a stored cross-site scripting vulnerability in OpenWrt's luci-app-upnp that allows unauthenticated LAN clients to inject malicious JavaScript into UPnP IGD AddPortMapping SOAP requests, leading to client-side code execution in an administrator's browser when viewing specific web interface pages.</description><content:encoded><![CDATA[<p>CVE-2026-61875 identifies a critical stored cross-site scripting (XSS) vulnerability within <code>luci-app-upnp</code>, a component of OpenWrt, an embedded operating system primarily used on routers. This vulnerability allows unauthenticated clients on the local area network (LAN) to inject arbitrary JavaScript code. The attack vector involves crafting a malicious UPnP IGD AddPortMapping SOAP request and embedding the JavaScript payload within the <code>NewPortMappingDescription</code> field. The <code>miniupnpd</code> daemon, responsible for handling UPnP requests, stores this malicious HTML without proper output encoding. Subsequently, when an administrator accesses the luci-app-upnp web interface and navigates to the UPnP or Status pages, the stored payload is rendered in their browser, executing the injected script. This flaw could lead to various client-side attacks, including session hijacking, credential theft, or further compromise of the administrator's system.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated client gains access to the local area network (LAN) segment where the OpenWrt device is located.</li>
<li>The client crafts a specially designed UPnP IGD AddPortMapping SOAP request.</li>
<li>The malicious JavaScript payload is embedded within the <code>NewPortMappingDescription</code> field of the SOAP request.</li>
<li>The client sends the crafted SOAP request to the OpenWrt device's UPnP service, handled by the <code>miniupnpd</code> daemon.</li>
<li>The <code>miniupnpd</code> daemon processes the request and stores the malicious HTML content in its configuration or data store without sanitization.</li>
<li>An administrator logs into the OpenWrt web interface (<code>luci-app-upnp</code>).</li>
<li>The administrator navigates to the UPnP or Status pages, which display information including the stored port mapping descriptions.</li>
<li>The <code>luci-app-upnp</code> interface renders the stored malicious HTML directly in the administrator's web browser, executing the embedded JavaScript.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful exploitation of CVE-2026-61875 grants attackers the ability to execute arbitrary client-side code within the context of an administrator's browser session. This can lead to severe consequences, such as session hijacking, allowing the attacker to take over the administrator's web session, perform actions as the administrator, or steal authentication cookies. It could also facilitate credential theft through phishing techniques, browser-based cryptocurrency mining, or redirecting administrators to malicious websites. While specific victim counts are not available, OpenWrt is widely deployed on consumer and small office/home office (SOHO) routers, making a large number of devices potentially vulnerable to unauthenticated LAN-side compromise.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-61875 by updating OpenWrt <code>luci-app-upnp</code> to the latest version as recommended by OpenWrt to address the cross-site scripting vulnerability.</li>
<li>Monitor network traffic for unusual UPnP IGD AddPortMapping SOAP requests, particularly those with unusually long or HTML-like content in the <code>NewPortMappingDescription</code> field, which could indicate attempts to exploit CVE-2026-61875.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>cross-site-scripting</category><category>xss</category><category>openwrt</category><category>router</category><category>web-vulnerability</category><category>client-side-execution</category></item></channel></rss>