VYPR
Vendor

Openwrt

Products
9
CVEs
38
Across products
42
Status
Private

Products

9

Recent CVEs

38
View all 38 CVEs →
  • CVE-2018-11116HigJun 19, 2018
    risk 0.57cvss 8.8epss 0.02

    OpenWrt mishandles access control in /etc/config/rpcd and the /usr/share/rpcd/acl.d files, which allows remote authenticated users to call arbitrary methods (i.e., achieve ubus access over HTTP) that were only supposed to be accessible to a specific user, as demonstrated by the…

  • CVE-2024-54143CriDec 6, 2024
    risk 0.54cvss epss 0.02

    openwrt/asu is an image on demand server for OpenWrt based distributions. The request hashing mechanism truncates SHA-256 hashes to only 12 characters. This significantly reduces entropy, making it feasible for an attacker to generate collisions. By exploiting this, a previously…

  • CVE-2024-51240HigNov 5, 2024
    risk 0.52cvss 8.0epss 0.00

    An issue in the luci-mod-rpc package in OpenWRT Luci LTS allows for privilege escalation from an admin account to root via the JSON-RPC-API, which is exposed by the luci-mod-rpc package

  • CVE-2026-32721HigMar 19, 2026
    risk 0.49cvss 8.6epss 0.00

    LuCI is the OpenWrt Configuration Interface. Versions prior to both 24.10.5 and 25.12.0, contain a stored XSS vulnerability in the wireless scan modal, where SSID values from scan results are rendered as raw HTML without any sanitization. The wireless.js file in the…

  • CVE-2023-30312HigMay 28, 2024
    risk 0.47cvss 7.3epss 0.00

    An issue discovered in OpenWrt 18.06, 19.07, 21.02, 22.03, and beyond allows off-path attackers to hijack TCP sessions, which could lead to a denial of service, impersonating the client to the server (e.g., for access to files over FTP), and impersonating the server to the…

  • CVE-2025-57389MedOct 1, 2025
    risk 0.35cvss 5.4epss 0.00

    A reflected cross-site scripting (XSS) vulnerability in the /admin/system/packages endpoint of Luci OpenWRT v18.06.2 allows attackers to execute arbitrary Javascript in the context of a user's browser via a crafted payload. This vulnerability was fixed in OpenWRT v19.07.0.

  • CVE-2019-12272May 23, 2019
    risk 0.01cvss epss 0.07

    In OpenWrt LuCI through 0.10, the endpoints admin/status/realtime/bandwidth_status and admin/status/realtime/wireless_status of the web application are affected by a command injection vulnerability.

  • CVE-2026-30874Mar 19, 2026
    risk 0.00cvss epss 0.00

    OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to 24.10.6, a vulnerability in the hotplug_call function allows an attacker to bypass environment variable filtering and inject an arbitrary PATH variable, potentially leading to privilege…

  • CVE-2026-30873Mar 19, 2026
    risk 0.00cvss epss 0.01

    OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to both 24.10.6 and 25.12.1, the jp_get_token function, which performs lexical analysis by breaking input expressions into tokens, contains a memory leak vulnerability when extracting…

  • CVE-2026-30872Mar 19, 2026
    risk 0.00cvss epss 0.02

    OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to 24.10.6 and 25.12.1, the mdns daemon has a Stack-based Buffer Overflow vulnerability in the match_ipv6_addresses function, triggered when processing PTR queries for IPv6 reverse DNS…

  • CVE-2026-30871Mar 19, 2026
    risk 0.00cvss epss 0.01

    OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to 24.10.6 and 25.12.1, the mdns daemon has a Stack-based Buffer Overflow vulnerability in the parse_question function. The issue is triggered by PTR queries for reverse DNS domains…

  • CVE-2025-62526Oct 22, 2025
    risk 0.00cvss epss 0.00

    OpenWrt Project is a Linux operating system targeting embedded devices. Prior to version 24.10.4, ubusd contains a heap buffer overflow in the event registration parsing code. This allows an attacker to modify the head and potentially execute arbitrary code in the context of the…

  • CVE-2025-62525Oct 22, 2025
    risk 0.00cvss epss 0.00

    OpenWrt Project is a Linux operating system targeting embedded devices. Prior to version 24.10.4, local users could read and write arbitrary kernel memory using the ioctls of the ltq-ptm driver which is used to drive the datapath of the DSL line. This only effects the lantiq…

  • CVE-2023-24182Apr 11, 2023
    risk 0.00cvss epss 0.01

    LuCI openwrt-22.03 branch git-22.361.69894-438c598 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the component /system/sshkeys.js.

  • CVE-2023-24181Apr 10, 2023
    risk 0.00cvss epss 0.01

    LuCI openwrt-22.03 branch git-22.361.69894-438c598 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /openvpn/pageswitch.htm.

  • CVE-2022-41435Nov 3, 2022
    risk 0.00cvss epss 0.00

    OpenWRT LuCI version git-22.140.66206-02913be was discovered to contain a stored cross-site scripting (XSS) vulnerability in the component /system/sshkeys.js. This vulnerability allows attackers to execute arbitrary web scripts or HTML via crafted public key comments.

  • CVE-2022-38333Sep 19, 2022
    risk 0.00cvss epss 0.01

    Openwrt before v21.02.3 and Openwrt v22.03.0-rc6 were discovered to contain two skip loops in the function header_value(). This vulnerability allows attackers to access sensitive information via a crafted HTTP request.

  • CVE-2021-45904Dec 27, 2021
    risk 0.00cvss epss 0.01

    OpenWrt 21.02.1 allows XSS via the Port Forwards Add Name screen.

  • CVE-2021-45905Dec 27, 2021
    risk 0.00cvss epss 0.01

    OpenWrt 21.02.1 allows XSS via the Traffic Rules Name screen.

  • CVE-2021-45906Dec 27, 2021
    risk 0.00cvss epss 0.01

    OpenWrt 21.02.1 allows XSS via the NAT Rules Name screen.