Vendor
LuCI DHCPv6 Lease Hostname Stored Cross-Site Scripting Vulnerability (CVE-2026-61876)
1 TTP 1 CVELuCI versions are vulnerable to CVE-2026-61876, a stored Cross-Site Scripting (XSS) flaw in their DHCPv6 lease hostname rendering logic, allowing an adjacent network attacker to inject malicious HTML markup that executes in an administrator's browser when viewing DHCP lease status pages.
CVE-2026-61875: Stored Cross-Site Scripting in OpenWrt luci-app-upnp
2 TTPs 1 CVECVE-2026-61875 details a stored cross-site scripting vulnerability in OpenWrt's luci-app-upnp that allows unauthenticated LAN clients to inject malicious JavaScript into UPnP IGD AddPortMapping SOAP requests, leading to client-side code execution in an administrator's browser when viewing specific web interface pages.
OpenWrt luci-app-samba4 Vulnerability Allows Remote Command Execution
1 rule 2 TTPs 1 CVEA vulnerability in OpenWrt's luci-app-samba4, identified as CVE-2026-59260, allows authenticated delegated users to achieve remote command execution on the Samba daemon by leveraging improper ACLs that grant `file.exec` permission on `/usr/sbin/smbd`.