CVE-2026-61876
Severity CVSS v4.0:
CRITICAL
Type:
CWE-79
Cross-Site Scripting (XSS)
Publication date:
12/07/2026
Last modified:
12/07/2026
Description
LuCI versions fail to properly encode DHCPv6 lease hostnames before rendering in status tables, allowing adjacent network attackers to inject HTML markup. Attackers can send a DHCPv6 Client FQDN containing script tags that execute in the administrator's browser when viewing DHCP lease pages.
Impact
Base Score 4.0
9.40
Severity 4.0
CRITICAL
Base Score 3.x
8.80
Severity 3.x
HIGH



