CVE-2026-32721 in luci
Summary
by MITRE • 03/20/2026
LuCI is the OpenWrt Configuration Interface. Versions prior to both 24.10.5 and 25.12.0, contain a stored XSS vulnerability in the wireless scan modal, where SSID values from scan results are rendered as raw HTML without any sanitization. The wireless.js file in the luci-mod-network package passes SSIDs via a template literal to dom.append(), which processes them through innerHTML, allowing an attacker to craft a malicious SSID containing arbitrary HTML/JavaScript. Exploitation requires the user to actively open the wireless scan modal (e.g., to connect to a Wi-Fi access point or survey nearby channels), and only affects OpenWrt versions newer than 23.05/22.03 up to the patched releases (24.10.6 and 25.12.1). The issue has been fixed in version LuCI 26.072.65753~068150b.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/23/2026
The vulnerability CVE-2026-32721 represents a critical stored cross-site scripting flaw within the LuCI web interface of OpenWrt systems. This security weakness exists in the wireless scan modal functionality where the system fails to properly sanitize SSID values obtained from wireless network scans before rendering them within the user interface. The vulnerability specifically affects versions of OpenWrt prior to 24.10.5 and 25.12.0, with the issue being resolved in subsequent releases including 24.10.6 and 25.12.1. The flaw demonstrates a classic XSS vulnerability pattern where user-controllable input is directly embedded into HTML content without appropriate sanitization measures.
The technical implementation of this vulnerability occurs within the wireless.js file of the luci-mod-network package where SSID values are processed through template literals and subsequently passed to dom.append() functions. This processing method utilizes innerHTML for rendering operations, creating an environment where malicious SSIDs can contain arbitrary HTML and JavaScript code that gets executed within the context of the user's browser session. The vulnerability is particularly concerning because it leverages the natural operation of wireless scanning where users actively interact with the wireless scan modal to connect to networks or perform channel surveys. This means that exploitation requires user interaction but can occur during routine network management tasks.
The operational impact of this vulnerability extends beyond simple XSS execution as it provides attackers with the ability to execute arbitrary code within the context of the authenticated user's browser session. This could potentially allow attackers to steal session cookies, perform unauthorized network configuration changes, or redirect users to malicious websites. The vulnerability affects OpenWrt systems running versions newer than 23.05 and 22.03 but not including the patched releases, making it particularly dangerous for organizations running intermediate versions of the firmware. The attack vector requires user engagement with the wireless scan modal, which reduces the automated exploitation potential but maintains significant security implications for network administrators and end users who regularly manage wireless connections.
Security mitigations for this vulnerability involve upgrading to the patched versions of LuCI software, specifically version 26.072.65753~068150b which contains the necessary sanitization fixes. Organizations should implement immediate patch management procedures to upgrade affected systems and conduct thorough testing to ensure that the patch does not introduce compatibility issues with existing network configurations. The fix addresses the root cause by implementing proper HTML sanitization of SSID values before rendering them in the wireless scan modal, preventing the execution of malicious code through crafted SSID inputs. This vulnerability aligns with CWE-79 (Cross-site Scripting) and represents a significant risk under ATT&CK framework category TA0001 (Initial Access) through T1190 (Exploit Public-Facing Application) and TA0002 (Execution) through T1059 (Command and Scripting Interpreter) as it enables attackers to execute malicious code within user browser sessions through compromised wireless network information.