PatchSiren cyber security CVE debrief
CVE-2026-61875 openwrt CVE debrief
CVE-2026-61875 is a stored cross-site scripting vulnerability in luci-app-upnp. Unauthenticated LAN clients can inject JavaScript via UPnP IGD AddPortMapping SOAP requests by sending malicious HTML in the NewPortMappingDescription field. The payload executes when administrators view the UPnP or Status pages. This vulnerability has a high CVSS score of 8.7 and is considered a high-severity issue. Administrators and users of luci-app-upnp, especially those with exposed UPnP interfaces, should be aware of this vulnerability and take steps to mitigate it.
- Vendor
- openwrt
- Product
- luci
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-12
- Original CVE updated
- 2026-07-12
- Advisory published
- 2026-07-12
- Advisory updated
- 2026-07-12
Who should care
Administrators and users of luci-app-upnp, especially those with exposed UPnP interfaces, should be aware of this vulnerability and take steps to mitigate it. This includes applying vendor patches or updates as soon as available, limiting access to UPnP interfaces to trusted networks and users, and monitoring UPnP and Status pages for suspicious activity.
Technical summary
The vulnerability exists in luci-app-upnp, which does not properly encode user-supplied input from the NewPortMappingDescription field in UPnP IGD AddPortMapping SOAP requests. This allows unauthenticated LAN clients to inject malicious JavaScript, which is stored and rendered without output encoding. When administrators view the UPnP or Status pages, the payload is executed. The vulnerability has a CVSS score of 8.7 and is considered high-severity.
Defensive priority
High
Recommended defensive actions
- Apply vendor patches or updates as soon as available
- Limit access to UPnP interfaces to trusted networks and users
- Monitor UPnP and Status pages for suspicious activity
- Consider implementing additional security controls, such as input validation and output encoding
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-12T12:16:46.260Z and has not been modified since then. The NVD entry is currently in the 'Received' status. This information is based on the supplied source corpus and may not reflect the current status of the vulnerability. Defenders should verify the affected scope and severity with the vendor or other trusted sources. The CVE record does not provide detailed information about the vulnerability, so defenders may need to review other sources for more information.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-12T12:16:46.260Z and has not been modified since then. The NVD entry is currently Received.