CVE-2026-32721
Published: 19 March 2026
Summary
CVE-2026-32721 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Openwrt Openwrt. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 0.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires filtering of SSID outputs in the wireless scan modal to prevent unsanitized HTML/JavaScript injection via innerHTML processing.
Mandates timely identification, reporting, and correction of the specific XSS flaw in LuCI by updating to patched versions 24.10.6 or 25.12.1.
Requires validation of scanned SSID inputs from wireless networks to reject or sanitize malicious payloads before rendering.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in LuCI wireless scan directly enables arbitrary JavaScript execution in the victim's browser (T1059.007) when the admin opens the scan modal; the attack is delivered through a trusted interface interaction resembling drive-by compromise (T1189).
NVD Description
LuCI is the OpenWrt Configuration Interface. Versions prior to both 24.10.5 and 25.12.0, contain a stored XSS vulnerability in the wireless scan modal, where SSID values from scan results are rendered as raw HTML without any sanitization. The wireless.js file…
more
in the luci-mod-network package passes SSIDs via a template literal to dom.append(), which processes them through innerHTML, allowing an attacker to craft a malicious SSID containing arbitrary HTML/JavaScript. Exploitation requires the user to actively open the wireless scan modal (e.g., to connect to a Wi-Fi access point or survey nearby channels), and only affects OpenWrt versions newer than 23.05/22.03 up to the patched releases (24.10.6 and 25.12.1). The issue has been fixed in version LuCI 26.072.65753~068150b.
Deeper analysisAI
CVE-2026-32721 is a stored cross-site scripting (XSS) vulnerability in LuCI, the OpenWrt Configuration Interface, affecting versions prior to 24.10.5 and 25.12.0. The flaw resides in the wireless scan modal, where SSID values from scan results are rendered as raw HTML without sanitization. Specifically, the wireless.js file in the luci-mod-network package passes SSIDs via a template literal to dom.append(), which processes them through innerHTML, enabling injection of arbitrary HTML and JavaScript. It impacts OpenWrt versions newer than 23.05/22.03 up to the patched releases of 24.10.6 and 25.12.1, with a CVSS v3.1 base score of 8.6 (AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) and is associated with CWE-79.
An attacker can exploit this vulnerability by broadcasting a malicious SSID containing arbitrary HTML/JavaScript that an OpenWrt device will detect during a wireless scan. Exploitation requires a victim—typically an administrator or user with access to the LuCI web interface—to actively open the wireless scan modal, such as when attempting to connect to a Wi-Fi access point or survey nearby channels. Successful execution allows the injected script to run in the context of the victim's browser session, potentially leading to high confidentiality, integrity, and availability impacts due to the changed scope.
The OpenWrt LuCI security advisory (GHSA-vvj6-7362-pjrw) and related GitHub commits detail the fix, which has been applied in LuCI version 26.072.65753~068150b via commits 068150ba5f524ef6b03817b258d31ec310053fd6 and cdce600aaec66f762f18d608c74cbf3abcafe1c7. Mitigation involves updating to these patched versions, as no workarounds are specified in the provided references.
Details
- CWE(s)