Home / Vulnerability Intelligence / CVE-2026-32721

CVE-2026-32721 - Vulnerability Analysis

HighCVSS: 8.6

Last Updated: March 19, 2026

LuCI - Stored XSS

Published: March 19, 2026Updated: March 19, 2026

Overview

LuCI < 24.10.5 and < 25.12.0 contains a stored XSS caused by unsanitized SSID values rendered as raw HTML in the wireless scan modal, letting attackers execute arbitrary script when users open the modal.

Severity & Score

Severity: High

CVSS Score: 8.6

EPSS Score: 0.0%(Probability of exploitation in next 30 days)

Impact

Attackers can execute arbitrary JavaScript in the user's browser, potentially stealing credentials or performing actions on behalf of the user.

Mitigation

Update to LuCI version 26.072.65753~068150b or later.

References

Social Media Activity(2 posts)

Lobsters

@lobsters

Mar 19, 2026

Root from the parking lot: OpenWRT XSS through SSID scanning (CVE-2026-32721) https://lobste.rs/s/vteijd #security https://mxsasha.eu/posts/openwrt-ssid-xss-to-root/

View original post

Lobsters

@lobsters

Mar 19, 2026

Root from the parking lot: OpenWRT XSS through SSID scanning (CVE-2026-32721) https://lobste.rs/s/vteijd #security https://mxsasha.eu/posts/openwrt-ssid-xss-to-root/

View original post

Related Resources

Details

CVE ID: CVE-2026-32721
Severity: High
CVSS Score: 8.6
Type: stored_xss
Status: new
EPSS: 0.0%
Social Posts: 2

CWE

CWE-79

CVSS Metrics

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

EPSS Score

0.0%Probability of exploitation in the next 30 days