Security: openwrt/luci
Security
No security policy detected
This project has not set up a SECURITY.md file yet.
Report a vulnerability-
luci-app-banip: log monitor extracts first IP from log lines — attacker-controlled fields cause wrong-target blockingGHSA-r6hx-4f83-vp8m published
Jun 28, 2026 by dibdotHigh -
Command injection as root in luci-proto-openvpn generateKey (cl_meta field)GHSA-pm9w-522m-8rrh published
Jun 27, 2026 by jow-High -
luci-app-upnp: Stored XSS in luci-app-upnp, unauthenticated LAN client can inject JavaScript via UPnP port mapping descriptionGHSA-8v49-6387-7f89 published
Jun 27, 2026 by jow-High -
luci-mod-network: luci-mod-status: DHCPv6 lease hostname stored XSS in LuCI status tablesGHSA-686p-p8p9-x6fh published
Jun 27, 2026 by jow-High -
luci-app-travelmate delegated UCI write can execute travelmate auto-login command as rootGHSA-p35r-3323-6g7g published
Jun 17, 2026 by dibdotHigh -
luci-app-advanced-reboot read ACL exposes /bin/sh through file.exec, allowing delegated users to run commands as rootGHSA-vj96-f37g-37f6 published
Jun 16, 2026 by stangriHigh -
luci-proto-openvpn read ACL exposes generateKey, allowing delegated users to execute commands as rootGHSA-vrj9-6xwg-6cf9 published
Jun 27, 2026 by jow-High -
luci-app-samba4 read ACL allows authenticated root command execution via smbd file.execGHSA-vx64-mmp7-h36c published
Jun 27, 2026 by jow-High -
`luci-app-tailscale-community` allows delegated LuCI users to execute commands as root through `tailscale.do_login`GHSA-xwc5-mx58-rh35 published
Jun 11, 2026 by jow-Critical -
luci-app-adblock-fast:Delegated `luci-app-adblock-fast` users can reach root command execution by injecting newline-separated cron entriesGHSA-ggpf-xrph-wg5v published
Jun 15, 2026 by stangriHigh
Learn more about advisories related to openwrt/luci in the GitHub Advisory Database