LuCI Wireless Scan Modal Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the LuCI OpenWrt Configuration Interface, specifically in versions prior to 24.10.5 and 25.12.0. The issue arises in the wireless scan modal, where SSID values from scan results are displayed as raw HTML without any sanitization. This vulnerability is present in the wireless.js file of the luci-mod-network package, which passes SSIDs to the DOM using innerHTML, allowing an attacker to inject malicious HTML or JavaScript through specially crafted SSIDs. Exploitation requires the user to open the wireless scan modal, and the vulnerability affects OpenWrt versions newer than 23.05/22.03, up to the patched releases.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, open the LuCI interface on an affected OpenWrt version. Navigate to the wireless section and open the scan modal. The SSIDs of nearby networks will be displayed. If an SSID contains malicious HTML or JavaScript, it will be executed, demonstrating the cross-site scripting vulnerability.

Remediation

Users can upgrade to LuCI version 26.072.65753~068150b or later. OpenWrt users should upgrade to version 24.10.6, 25.12.1 or later, including snapshot builds since March 13, 2026.