Home / Vulnerability Intelligence / CVE-2026-32721

CVE-2026-32721 - Vulnerability Analysis

HighCVSS: 8.6

Last Updated: March 20, 2026

LuCI - Stored XSS

Published: March 19, 2026Updated: March 20, 2026

Overview

LuCI < 24.10.5 and < 25.12.0 contains a stored XSS caused by unsanitized SSID values rendered as raw HTML in the wireless scan modal, letting attackers execute arbitrary script when users open the modal.

Severity & Score

Severity: High

CVSS Score: 8.6

EPSS Score: 0.7%(Probability of exploitation in next 30 days)

Impact

Attackers can execute arbitrary JavaScript in the user's browser, potentially stealing credentials or performing actions on behalf of the user.

Mitigation

Update to LuCI version 26.072.65753~068150b or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 19, 2026

🟠 CVE-2026-32721 - High (8.6) LuCI is the OpenWrt Configuration Interface. Versions prior to both 24.10.5 and 25.12.0, contain a stored XSS vulnerability in the wireless scan modal, where SSID values from scan results are rendered as raw HTML without any sanitization. The wire... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-32721/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-32721
Severity: High
CVSS Score: 8.6
Type: stored_xss
Status: unconfirmed
EPSS: 0.7%
Social Posts: 1

CWE

CWE-79

CVSS Metrics

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

EPSS Score

0.7%Probability of exploitation in the next 30 days