VYPR

Luci

by Openwrt

Source repositories

CVEs (13)

  • CVE-2024-51240HigNov 5, 2024
    risk 0.52cvss 8.0epss 0.00

    An issue in the luci-mod-rpc package in OpenWRT Luci LTS allows for privilege escalation from an admin account to root via the JSON-RPC-API, which is exposed by the luci-mod-rpc package

  • CVE-2026-32721HigMar 19, 2026
    risk 0.49cvss 8.6epss 0.00

    LuCI is the OpenWrt Configuration Interface. Versions prior to both 24.10.5 and 25.12.0, contain a stored XSS vulnerability in the wireless scan modal, where SSID values from scan results are rendered as raw HTML without any sanitization. The wireless.js file in the…

  • CVE-2025-57389MedOct 1, 2025
    risk 0.35cvss 5.4epss 0.00

    A reflected cross-site scripting (XSS) vulnerability in the /admin/system/packages endpoint of Luci OpenWRT v18.06.2 allows attackers to execute arbitrary Javascript in the context of a user's browser via a crafted payload. This vulnerability was fixed in OpenWRT v19.07.0.

  • CVE-2019-12272May 23, 2019
    risk 0.01cvss epss 0.07

    In OpenWrt LuCI through 0.10, the endpoints admin/status/realtime/bandwidth_status and admin/status/realtime/wireless_status of the web application are affected by a command injection vulnerability.

  • CVE-2023-24182Apr 11, 2023
    risk 0.00cvss epss 0.01

    LuCI openwrt-22.03 branch git-22.361.69894-438c598 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the component /system/sshkeys.js.

  • CVE-2023-24181Apr 10, 2023
    risk 0.00cvss epss 0.01

    LuCI openwrt-22.03 branch git-22.361.69894-438c598 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /openvpn/pageswitch.htm.

  • CVE-2022-41435Nov 3, 2022
    risk 0.00cvss epss 0.00

    OpenWRT LuCI version git-22.140.66206-02913be was discovered to contain a stored cross-site scripting (XSS) vulnerability in the component /system/sshkeys.js. This vulnerability allows attackers to execute arbitrary web scripts or HTML via crafted public key comments.

  • CVE-2021-32019Aug 2, 2021
    risk 0.00cvss epss 0.01

    There is missing input validation of host names displayed in OpenWrt before 19.07.8. The Connection Status page of the luci web-interface allows XSS, which can be used to gain full control over the affected system via ICMP.

  • CVE-2021-33425May 25, 2021
    risk 0.00cvss epss 0.01

    A stored cross-site scripting (XSS) vulnerability was discovered in the Web Interface for OpenWRT LuCI version 19.07 which allows attackers to inject arbitrary Javascript in the OpenWRT Hostname via the Hostname Change operation.

  • CVE-2021-27821May 25, 2021
    risk 0.00cvss epss 0.01

    The Web Interface for OpenWRT LuCI version 19.07 and lower has been discovered to have a cross-site scripting vulnerability which can lead to attackers carrying out arbitrary code execution.

  • CVE-2019-25015Jan 21, 2021
    risk 0.00cvss epss 0.01

    LuCI in OpenWrt 18.06.0 through 18.06.4 allows stored XSS via a crafted SSID.

  • CVE-2020-10871Mar 23, 2020
    risk 0.00cvss epss 0.02

    In OpenWrt LuCI git-20.x, remote unauthenticated attackers can retrieve the list of installed packages and services. NOTE: the vendor disputes the significance of this report because, for instances reachable by an unauthenticated actor, the same information is available in other…

  • CVE-2019-18992Dec 3, 2019
    risk 0.00cvss epss 0.01

    OpenWrt 18.06.4 allows XSS via these Name fields to the cgi-bin/luci/admin/network/firewall/rules URI: "Open ports on router" and "New forward rule" and "New Source NAT" (this can occur, for example, on a TP-Link Archer C7 device).