Luci
by Openwrt
Source repositories
CVEs (13)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-51240 | Hig | 0.52 | 8.0 | 0.00 | Nov 5, 2024 | An issue in the luci-mod-rpc package in OpenWRT Luci LTS allows for privilege escalation from an admin account to root via the JSON-RPC-API, which is exposed by the luci-mod-rpc package | ||
| CVE-2026-32721 | Hig | 0.49 | 8.6 | 0.00 | Mar 19, 2026 | LuCI is the OpenWrt Configuration Interface. Versions prior to both 24.10.5 and 25.12.0, contain a stored XSS vulnerability in the wireless scan modal, where SSID values from scan results are rendered as raw HTML without any sanitization. The wireless.js file in the… | ||
| CVE-2025-57389 | Med | 0.35 | 5.4 | 0.00 | Oct 1, 2025 | A reflected cross-site scripting (XSS) vulnerability in the /admin/system/packages endpoint of Luci OpenWRT v18.06.2 allows attackers to execute arbitrary Javascript in the context of a user's browser via a crafted payload. This vulnerability was fixed in OpenWRT v19.07.0. | ||
| CVE-2019-12272 | 0.01 | — | 0.07 | May 23, 2019 | In OpenWrt LuCI through 0.10, the endpoints admin/status/realtime/bandwidth_status and admin/status/realtime/wireless_status of the web application are affected by a command injection vulnerability. | |||
| CVE-2023-24182 | 0.00 | — | 0.01 | Apr 11, 2023 | LuCI openwrt-22.03 branch git-22.361.69894-438c598 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the component /system/sshkeys.js. | |||
| CVE-2023-24181 | 0.00 | — | 0.01 | Apr 10, 2023 | LuCI openwrt-22.03 branch git-22.361.69894-438c598 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /openvpn/pageswitch.htm. | |||
| CVE-2022-41435 | 0.00 | — | 0.00 | Nov 3, 2022 | OpenWRT LuCI version git-22.140.66206-02913be was discovered to contain a stored cross-site scripting (XSS) vulnerability in the component /system/sshkeys.js. This vulnerability allows attackers to execute arbitrary web scripts or HTML via crafted public key comments. | |||
| CVE-2021-32019 | 0.00 | — | 0.01 | Aug 2, 2021 | There is missing input validation of host names displayed in OpenWrt before 19.07.8. The Connection Status page of the luci web-interface allows XSS, which can be used to gain full control over the affected system via ICMP. | |||
| CVE-2021-33425 | 0.00 | — | 0.01 | May 25, 2021 | A stored cross-site scripting (XSS) vulnerability was discovered in the Web Interface for OpenWRT LuCI version 19.07 which allows attackers to inject arbitrary Javascript in the OpenWRT Hostname via the Hostname Change operation. | |||
| CVE-2021-27821 | 0.00 | — | 0.01 | May 25, 2021 | The Web Interface for OpenWRT LuCI version 19.07 and lower has been discovered to have a cross-site scripting vulnerability which can lead to attackers carrying out arbitrary code execution. | |||
| CVE-2019-25015 | 0.00 | — | 0.01 | Jan 21, 2021 | LuCI in OpenWrt 18.06.0 through 18.06.4 allows stored XSS via a crafted SSID. | |||
| CVE-2020-10871 | 0.00 | — | 0.02 | Mar 23, 2020 | In OpenWrt LuCI git-20.x, remote unauthenticated attackers can retrieve the list of installed packages and services. NOTE: the vendor disputes the significance of this report because, for instances reachable by an unauthenticated actor, the same information is available in other… | |||
| CVE-2019-18992 | 0.00 | — | 0.01 | Dec 3, 2019 | OpenWrt 18.06.4 allows XSS via these Name fields to the cgi-bin/luci/admin/network/firewall/rules URI: "Open ports on router" and "New forward rule" and "New Source NAT" (this can occur, for example, on a TP-Link Archer C7 device). |
- risk 0.52cvss 8.0epss 0.00
An issue in the luci-mod-rpc package in OpenWRT Luci LTS allows for privilege escalation from an admin account to root via the JSON-RPC-API, which is exposed by the luci-mod-rpc package
- risk 0.49cvss 8.6epss 0.00
LuCI is the OpenWrt Configuration Interface. Versions prior to both 24.10.5 and 25.12.0, contain a stored XSS vulnerability in the wireless scan modal, where SSID values from scan results are rendered as raw HTML without any sanitization. The wireless.js file in the…
- risk 0.35cvss 5.4epss 0.00
A reflected cross-site scripting (XSS) vulnerability in the /admin/system/packages endpoint of Luci OpenWRT v18.06.2 allows attackers to execute arbitrary Javascript in the context of a user's browser via a crafted payload. This vulnerability was fixed in OpenWRT v19.07.0.
- CVE-2019-12272May 23, 2019risk 0.01cvss —epss 0.07
In OpenWrt LuCI through 0.10, the endpoints admin/status/realtime/bandwidth_status and admin/status/realtime/wireless_status of the web application are affected by a command injection vulnerability.
- CVE-2023-24182Apr 11, 2023risk 0.00cvss —epss 0.01
LuCI openwrt-22.03 branch git-22.361.69894-438c598 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the component /system/sshkeys.js.
- CVE-2023-24181Apr 10, 2023risk 0.00cvss —epss 0.01
LuCI openwrt-22.03 branch git-22.361.69894-438c598 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /openvpn/pageswitch.htm.
- CVE-2022-41435Nov 3, 2022risk 0.00cvss —epss 0.00
OpenWRT LuCI version git-22.140.66206-02913be was discovered to contain a stored cross-site scripting (XSS) vulnerability in the component /system/sshkeys.js. This vulnerability allows attackers to execute arbitrary web scripts or HTML via crafted public key comments.
- CVE-2021-32019Aug 2, 2021risk 0.00cvss —epss 0.01
There is missing input validation of host names displayed in OpenWrt before 19.07.8. The Connection Status page of the luci web-interface allows XSS, which can be used to gain full control over the affected system via ICMP.
- CVE-2021-33425May 25, 2021risk 0.00cvss —epss 0.01
A stored cross-site scripting (XSS) vulnerability was discovered in the Web Interface for OpenWRT LuCI version 19.07 which allows attackers to inject arbitrary Javascript in the OpenWRT Hostname via the Hostname Change operation.
- CVE-2021-27821May 25, 2021risk 0.00cvss —epss 0.01
The Web Interface for OpenWRT LuCI version 19.07 and lower has been discovered to have a cross-site scripting vulnerability which can lead to attackers carrying out arbitrary code execution.
- CVE-2019-25015Jan 21, 2021risk 0.00cvss —epss 0.01
LuCI in OpenWrt 18.06.0 through 18.06.4 allows stored XSS via a crafted SSID.
- CVE-2020-10871Mar 23, 2020risk 0.00cvss —epss 0.02
In OpenWrt LuCI git-20.x, remote unauthenticated attackers can retrieve the list of installed packages and services. NOTE: the vendor disputes the significance of this report because, for instances reachable by an unauthenticated actor, the same information is available in other…
- CVE-2019-18992Dec 3, 2019risk 0.00cvss —epss 0.01
OpenWrt 18.06.4 allows XSS via these Name fields to the cgi-bin/luci/admin/network/firewall/rules URI: "Open ports on router" and "New forward rule" and "New Source NAT" (this can occur, for example, on a TP-Link Archer C7 device).