CVE-2026-32721 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79, affecting the LuCI web interface component of OpenWrt, a widely used open-source router firmware. The vulnerability arises from improper neutralization of input during web page generation, specifically in the wireless scan modal feature. When a user opens this modal to scan for nearby Wi-Fi networks, the SSID values from scan results are passed through a JavaScript template literal to the DOM via innerHTML without any sanitization or encoding. Because innerHTML processes the SSID as raw HTML, an attacker can craft a malicious SSID containing arbitrary HTML or JavaScript code. When the vulnerable modal is opened, this code executes in the context of the LuCI web interface, potentially allowing an attacker to steal session cookies, perform actions on behalf of the user, or pivot to other internal systems. Exploitation requires the victim to actively open the wireless scan modal, which means user interaction is necessary. The vulnerability affects OpenWrt versions newer than 23.05/22.03 up to versions before 26.072.65753~068150b, with the fix implemented in LuCI 26.072.65753~068150b. The CVSS 3.1 base score is 8.6, indicating high severity, with attack vector local (AV:L), low attack complexity (AC:L), no privileges required (PR:N), user interaction required (UI:R), scope changed (S:C), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). No known exploits in the wild have been reported yet.

The vulnerability poses a significant risk to organizations using OpenWrt devices with the vulnerable LuCI interface, especially in environments where the wireless scan modal is accessed frequently. Successful exploitation can lead to full compromise of the LuCI web session, allowing attackers to execute arbitrary JavaScript, steal credentials or session tokens, manipulate router configurations, or launch further attacks within the internal network. This can result in loss of confidentiality, integrity, and availability of network infrastructure. Since OpenWrt is popular in enterprise, ISP, and industrial settings, the impact can extend to critical network management systems. The requirement for user interaction and local access somewhat limits remote exploitation, but social engineering or insider threats could facilitate attacks. The vulnerability also undermines trust in network device management interfaces, potentially leading to broader security incidents if exploited at scale.

Organizations should immediately upgrade affected OpenWrt devices to LuCI version 26.072.65753~068150b or later, where the vulnerability is patched. Until updates can be applied, restrict access to the LuCI web interface by limiting it to trusted management networks or VPNs, and disable wireless scanning features if not required. Implement network segmentation to isolate management interfaces from general user networks. Educate users and administrators about the risks of opening the wireless scan modal and encourage cautious behavior. Employ web application firewalls (WAFs) or intrusion detection systems (IDS) to monitor for suspicious activity related to malformed SSIDs or XSS payloads. Regularly audit router firmware versions and configurations to ensure compliance with security best practices. Finally, consider additional hardening of router management interfaces by enforcing strong authentication and using HTTPS to protect session confidentiality.