CVE-2026-32721 is a stored cross-site scripting (XSS) vulnerability identified in the LuCI configuration interface of OpenWrt, specifically affecting versions prior to 26.072.65753~068150b. The vulnerability arises from improper neutralization of input during web page generation (CWE-79). Within the wireless scan modal, SSID values obtained from Wi-Fi scan results are directly injected into the DOM using innerHTML via a template literal in the wireless.js file of the luci-mod-network package. Because these SSIDs are not sanitized, an attacker can craft a malicious SSID containing arbitrary HTML or JavaScript code. When a user opens the wireless scan modal to view or connect to Wi-Fi networks, the malicious payload executes in the context of the LuCI web interface. This can lead to theft of sensitive information, session hijacking, or further compromise of the device. Exploitation requires local network proximity to broadcast the malicious SSID and user interaction to open the scan modal. The vulnerability affects OpenWrt versions newer than 23.05/22.03 up to but not including 26.072.65753~068150b, with the fix implemented in that version. The CVSS v3.1 score is 8.6 (High), reflecting local attack vector, low complexity, no privileges required, user interaction needed, and high impact on confidentiality, integrity, and availability. No known exploits have been reported in the wild as of the publication date.

The vulnerability enables an attacker to execute arbitrary JavaScript in the context of the LuCI web interface, potentially leading to full compromise of the device's management interface. This could allow attackers to steal administrative credentials, manipulate router configurations, install persistent backdoors, or disrupt network availability. Since OpenWrt is widely used in embedded devices and routers, exploitation could affect home users, enterprises, and service providers relying on these devices for network management. The requirement for user interaction (opening the wireless scan modal) and local network proximity limits remote exploitation but does not eliminate risk in environments where attackers can broadcast malicious SSIDs, such as public Wi-Fi hotspots or compromised internal networks. The scope includes all affected OpenWrt devices running vulnerable LuCI versions, which may be significant given OpenWrt's popularity in various regions. The high CVSS score indicates a serious threat to confidentiality, integrity, and availability.

Administrators should immediately upgrade affected OpenWrt devices to LuCI version 26.072.65753~068150b or later, where the vulnerability is patched. If upgrading is not immediately possible, network administrators should restrict access to the LuCI interface to trusted networks only and disable wireless scanning features that trigger the vulnerable code path. Implement network segmentation to isolate management interfaces from untrusted wireless networks. Users should be educated to avoid opening the wireless scan modal in untrusted environments. Additionally, monitoring for unusual SSIDs and logging access to the LuCI interface can help detect potential exploitation attempts. Applying Content Security Policy (CSP) headers on the LuCI interface could provide an additional layer of defense against XSS exploitation. Vendors and integrators should review their firmware builds to ensure the patched LuCI version is included in future releases.