A critical XSS vulnerability (CVE-2026-32721) in OpenWRT's LuCI web interface allows attackers to achieve remote root access by broadcasting a malicious SSID. When an administrator scans for nearby WiFi networks, the crafted SSID executes JavaScript in the admin interface without requiring connection to the malicious network. This represents a serious security flaw in the wireless scanning functionality that can lead to complete system compromise.
Background
OpenWRT is a popular open-source operating system for embedded devices, particularly WiFi routers, that uses the LuCI web interface for administration. XSS vulnerabilities allow attackers to execute malicious scripts in the context of a user's browser session.
- Source
- Lobsters
- Published
- Mar 19, 2026 at 10:01 PM
- Score
- 8.0 / 10