CVE-2026-61876
EUVD-2026-4323612.07.2026, 12:16
LuCI versions fail to properly encode DHCPv6 lease hostnames before rendering in status tables, allowing adjacent network attackers to inject HTML markup. Attackers can send a DHCPv6 Client FQDN containing script tags that execute in the administrator's browser when viewing DHCP lease pages.
Awaiting analysis
This vulnerability is currently awaiting analysis.