{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/client-side-execution/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-61875"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["luci-app-upnp"],"_cs_severities":["high"],"_cs_tags":["cross-site-scripting","xss","openwrt","router","web-vulnerability","client-side-execution"],"_cs_type":"advisory","_cs_vendors":["OpenWrt"],"content_html":"\u003cp\u003eCVE-2026-61875 identifies a critical stored cross-site scripting (XSS) vulnerability within \u003ccode\u003eluci-app-upnp\u003c/code\u003e, a component of OpenWrt, an embedded operating system primarily used on routers. This vulnerability allows unauthenticated clients on the local area network (LAN) to inject arbitrary JavaScript code. The attack vector involves crafting a malicious UPnP IGD AddPortMapping SOAP request and embedding the JavaScript payload within the \u003ccode\u003eNewPortMappingDescription\u003c/code\u003e field. The \u003ccode\u003eminiupnpd\u003c/code\u003e daemon, responsible for handling UPnP requests, stores this malicious HTML without proper output encoding. Subsequently, when an administrator accesses the luci-app-upnp web interface and navigates to the UPnP or Status pages, the stored payload is rendered in their browser, executing the injected script. This flaw could lead to various client-side attacks, including session hijacking, credential theft, or further compromise of the administrator's system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated client gains access to the local area network (LAN) segment where the OpenWrt device is located.\u003c/li\u003e\n\u003cli\u003eThe client crafts a specially designed UPnP IGD AddPortMapping SOAP request.\u003c/li\u003e\n\u003cli\u003eThe malicious JavaScript payload is embedded within the \u003ccode\u003eNewPortMappingDescription\u003c/code\u003e field of the SOAP request.\u003c/li\u003e\n\u003cli\u003eThe client sends the crafted SOAP request to the OpenWrt device's UPnP service, handled by the \u003ccode\u003eminiupnpd\u003c/code\u003e daemon.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eminiupnpd\u003c/code\u003e daemon processes the request and stores the malicious HTML content in its configuration or data store without sanitization.\u003c/li\u003e\n\u003cli\u003eAn administrator logs into the OpenWrt web interface (\u003ccode\u003eluci-app-upnp\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe administrator navigates to the UPnP or Status pages, which display information including the stored port mapping descriptions.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eluci-app-upnp\u003c/code\u003e interface renders the stored malicious HTML directly in the administrator's web browser, executing the embedded JavaScript.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful exploitation of CVE-2026-61875 grants attackers the ability to execute arbitrary client-side code within the context of an administrator's browser session. This can lead to severe consequences, such as session hijacking, allowing the attacker to take over the administrator's web session, perform actions as the administrator, or steal authentication cookies. It could also facilitate credential theft through phishing techniques, browser-based cryptocurrency mining, or redirecting administrators to malicious websites. While specific victim counts are not available, OpenWrt is widely deployed on consumer and small office/home office (SOHO) routers, making a large number of devices potentially vulnerable to unauthenticated LAN-side compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-61875 by updating OpenWrt \u003ccode\u003eluci-app-upnp\u003c/code\u003e to the latest version as recommended by OpenWrt to address the cross-site scripting vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unusual UPnP IGD AddPortMapping SOAP requests, particularly those with unusually long or HTML-like content in the \u003ccode\u003eNewPortMappingDescription\u003c/code\u003e field, which could indicate attempts to exploit CVE-2026-61875.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-12T12:25:52Z","date_published":"2026-07-12T12:25:52Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-61875-luci-app-upnp-xss/","summary":"CVE-2026-61875 details a stored cross-site scripting vulnerability in OpenWrt's luci-app-upnp that allows unauthenticated LAN clients to inject malicious JavaScript into UPnP IGD AddPortMapping SOAP requests, leading to client-side code execution in an administrator's browser when viewing specific web interface pages.","title":"CVE-2026-61875: Stored Cross-Site Scripting in OpenWrt luci-app-upnp","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-61875-luci-app-upnp-xss/"}],"language":"en","title":"CraftedSignal Threat Feed - Client-Side-Execution","version":"https://jsonfeed.org/version/1.1"}