Product
LuCI versions are vulnerable to CVE-2026-61876, a stored Cross-Site Scripting (XSS) flaw in their DHCPv6 lease hostname rendering logic, allowing an adjacent network attacker to inject malicious HTML markup that executes in an administrator's browser when viewing DHCP lease status pages.