Openwrt Luci
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Openwrt Luci.
By the Year
In 2026 there have been 1 vulnerability in Openwrt Luci with an average score of 8.6 out of ten. Luci did not have any published security vulnerabilities last year. That is, 1 more vulnerability have already been reported in 2026 as compared to last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 1 | 8.60 |
| 2025 | 0 | 0.00 |
| 2024 | 0 | 0.00 |
| 2023 | 2 | 5.40 |
| 2022 | 1 | 5.40 |
| 2021 | 1 | 6.10 |
| 2020 | 1 | 0.00 |
| 2019 | 1 | 0.00 |
It may take a day or so for new Luci vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Openwrt Luci Security Vulnerabilities
OpenWrt LuCI XSS in Wireless Scan Modal (v24.10.5/25.12.0)
CVE-2026-32721
8.6 - High
- March 19, 2026
LuCI is the OpenWrt Configuration Interface. Versions prior to both 24.10.5 and 25.12.0, contain a stored XSS vulnerability in the wireless scan modal, where SSID values from scan results are rendered as raw HTML without any sanitization. The wireless.js file in the luci-mod-network package passes SSIDs via a template literal to dom.append(), which processes them through innerHTML, allowing an attacker to craft a malicious SSID containing arbitrary HTML/JavaScript. Exploitation requires the user to actively open the wireless scan modal (e.g., to connect to a Wi-Fi access point or survey nearby channels), and only affects OpenWrt versions newer than 23.05/22.03 up to the patched releases (24.10.6 and 25.12.1). The issue has been fixed in version LuCI 26.072.65753~068150b.
XSS
Stored XSS in LuCI 22.03 sshkeys.js (CVE-2023-24182)
CVE-2023-24182
5.4 - Medium
- April 11, 2023
LuCI openwrt-22.03 branch git-22.361.69894-438c598 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the component /system/sshkeys.js.
XSS
LuCI 22.03 Reflected XSS via /openvpn/pageswitch.htm (CVE-2023-24181)
CVE-2023-24181
5.4 - Medium
- April 10, 2023
LuCI openwrt-22.03 branch git-22.361.69894-438c598 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /openvpn/pageswitch.htm.
XSS
Stored XSS in OpenWRT LuCI /system/sshkeys.js (git-22.140.66206-02913be)
CVE-2022-41435
5.4 - Medium
- November 03, 2022
OpenWRT LuCI version git-22.140.66206-02913be was discovered to contain a stored cross-site scripting (XSS) vulnerability in the component /system/sshkeys.js. This vulnerability allows attackers to execute arbitrary web scripts or HTML via crafted public key comments.
XSS
The Web Interface for OpenWRT LuCI version 19.07 and lower has been discovered to have a cross-site scripting vulnerability
CVE-2021-27821
6.1 - Medium
- May 25, 2021
The Web Interface for OpenWRT LuCI version 19.07 and lower has been discovered to have a cross-site scripting vulnerability which can lead to attackers carrying out arbitrary code execution.
XSS
In OpenWrt LuCI git-20.x, remote unauthenticated attackers can retrieve the list of installed packages and services
CVE-2020-10871
- March 23, 2020
In OpenWrt LuCI git-20.x, remote unauthenticated attackers can retrieve the list of installed packages and services. NOTE: the vendor disputes the significance of this report because, for instances reachable by an unauthenticated actor, the same information is available in other (more complex) ways, and there is no plan to restrict the information further
In OpenWrt LuCI through 0.10
CVE-2019-12272
- May 23, 2019
In OpenWrt LuCI through 0.10, the endpoints admin/status/realtime/bandwidth_status and admin/status/realtime/wireless_status of the web application are affected by a command injection vulnerability.
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Openwrt Luci or by Openwrt? Click the Watch button to subscribe.
