CVE-2026-61875 in LuCI
Summary
by MITRE • 07/12/2026
luci-app-upnp contains a stored cross-site scripting vulnerability that allows unauthenticated LAN clients to inject JavaScript via UPnP IGD AddPortMapping SOAP requests. Attackers can send malicious HTML in the NewPortMappingDescription field, which miniupnpd stores and luci-app-upnp renders without output encoding, executing the payload when administrators view the UPnP or Status pages.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/12/2026
This vulnerability exists within the luci-app-upnp package which provides a web interface for managing UPnP IGD (Internet Gateway Device) functionality on embedded routers and network devices. The flaw represents a classic stored cross-site scripting vulnerability that operates through the UPnP protocol's AddPortMapping SOAP request mechanism. When an unauthenticated attacker sends a maliciously crafted request containing HTML content in the NewPortMappingDescription field, the miniupnpd service processes and stores this data without proper input validation or sanitization. The luci-app-upnp web interface then renders this stored data without output encoding, creating a persistent XSS vector that affects administrators who view the UPnP or Status pages.
The technical exploitation of this vulnerability follows a specific attack pattern that aligns with CWE-79 Cross-site Scripting flaws in the CWE taxonomy. Attackers can craft malicious SOAP requests that include JavaScript payloads within the description field, which gets stored server-side and later executed client-side when administrators access the web interface. This represents a privilege escalation vector where unauthenticated attackers can compromise administrator sessions and potentially execute arbitrary code within the context of the web application. The vulnerability is particularly dangerous because it requires no authentication to exploit and can persist across reboots as long as the stored data remains in the miniupnpd database.
The operational impact of this vulnerability extends beyond simple script execution as it provides attackers with a foothold for further compromise of network infrastructure. Administrators who view the UPnP status pages become victims of the stored XSS attack, potentially allowing attackers to steal session cookies, redirect users to malicious sites, or execute more sophisticated attacks such as credential theft. This vulnerability directly maps to ATT&CK technique T1059.007 Command and Scripting Interpreter: JavaScript within the MITRE ATT&CK framework for lateral movement and privilege escalation. The persistence of this vulnerability makes it particularly concerning for network administrators who may not immediately notice compromised systems, especially in environments where multiple administrators regularly access the web interface.
Mitigation strategies should focus on input validation and output encoding within the luci-app-upnp application to prevent malicious data from being stored or rendered without proper sanitization. The miniupnpd service should implement strict validation of all incoming SOAP request parameters, particularly those used for description fields. Network segmentation and access controls should be implemented to limit exposure of UPnP services to trusted networks only. Regular security updates for the luci-app-upnp package and underlying miniupnpd service are essential, as is monitoring for suspicious UPnP activity on network segments. Additionally, administrators should disable UPnP functionality when not required for specific services, and implement web application firewalls that can detect and block malicious SOAP requests containing script tags or other XSS payloads. The vulnerability demonstrates the importance of input validation at multiple layers in network infrastructure applications and highlights the need for security practices that follow the principle of least privilege in service configuration.