CVE-2026-61876 in luciinfo

Summary

by MITRE • 07/12/2026

LuCI versions fail to properly encode DHCPv6 lease hostnames before rendering in status tables, allowing adjacent network attackers to inject HTML markup. Attackers can send a DHCPv6 Client FQDN containing script tags that execute in the administrator's browser when viewing DHCP lease pages.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/12/2026

This vulnerability exists within LuCI web interfaces where DHCPv6 lease hostnames are not properly sanitized before being rendered in status tables, creating a cross-site scripting opportunity. The flaw stems from inadequate input validation and output encoding practices that allow maliciously crafted DHCPv6 client fully qualified domain names to contain HTML markup or JavaScript code. When administrators view the DHCP lease status pages, the unescaped hostname values are directly inserted into the web page content without proper HTML entity encoding, enabling attackers positioned on the same network segment to inject arbitrary script tags within the DHCPv6 Client FQDN options.

The technical implementation of this vulnerability involves the manipulation of DHCPv6 client identification mechanisms where attackers can craft maliciously formatted Fully Qualified Domain Names that include script execution payloads. This represents a classic cross-site scripting vulnerability categorized under CWE-79 which specifically addresses improper neutralization of input during web page generation. The attack vector requires network adjacency since DHCPv6 packets are typically transmitted on local network segments, making this a network-based injection flaw rather than an internet-facing vulnerability. The attacker must be positioned within the same broadcast domain as the affected device to successfully inject malicious content through DHCPv6 communications.

The operational impact of this vulnerability extends beyond simple script execution as it provides attackers with persistent access to administrative interfaces that could lead to complete system compromise. When administrators browse DHCP lease tables, their browsers execute the injected JavaScript code within the context of the LuCI application, potentially allowing for session hijacking, credential theft, or further privilege escalation. The vulnerability affects the integrity and confidentiality of network management interfaces since it enables attackers to manipulate administrative views and potentially gain insights into network topology and device configurations that would otherwise remain hidden from unauthorized access.

Mitigation strategies should focus on implementing proper output encoding and input validation measures within the LuCI web interface components responsible for rendering DHCPv6 lease information. The most effective approach involves sanitizing all user-supplied input values before rendering them in HTML contexts, specifically implementing HTML entity encoding for characters such as angle brackets, quotes, and other special characters that could enable script injection. Network segmentation and access control measures should also be enforced to limit the attack surface of vulnerable devices, while regular security updates and patch management processes should be maintained to address similar vulnerabilities across network infrastructure components. The remediation aligns with ATT&CK technique T1212 which targets application versioning information and T1059 which addresses command and scripting interpreters for executing malicious code within legitimate administrative contexts.

This vulnerability demonstrates the critical importance of proper input validation and output encoding in web applications, particularly those handling network management data where administrative interfaces are directly exposed to potentially untrusted network sources. The issue highlights the need for comprehensive security testing of network infrastructure components that handle dynamic data from various network protocols, emphasizing that even seemingly innocuous elements like hostname fields can become attack vectors when proper sanitization measures are not implemented across all application layers. Organizations should implement automated security scanning processes that specifically target web application vulnerabilities in network management interfaces to identify and remediate similar issues before they can be exploited by adversaries.

Responsible

VulnCheck

Reservation

07/10/2026

Disclosure

07/12/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!