Luci

This hub aggregates every CVE we track for Luci, a product in the operating systems space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 13 most recently published vulnerabilities affecting Luci.

• CVE-2026-32721LuCI luci-mod-network: Possible XSS attack in WiFi scan on Joining Wireless Client modal8.6Mar 19, 2026
• CVE-2024-51240An issue in the luci-mod-rpc package in OpenWRT Luci LTS allows for privilege escalation from an admin account to root via the JSON-RPC-API, which is exposed by the luci-mod-rpc package8.0Nov 5, 2024
• CVE-2023-3085X-WRT luci 404 Error Template dispatcher.uc run_action cross site scripting3.5Jun 3, 2023
• CVE-2023-24181LuCI openwrt-22.03 branch git-22.361.69894-438c598 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /openvpn/pageswitch.htm.5.4Apr 10, 2023
• CVE-2022-41435OpenWRT LuCI version git-22.140.66206-02913be was discovered to contain a stored cross-site scripting (XSS) vulnerability in the component /system/sshkeys.js. This vulnerability allows attackers to...5.4Nov 3, 2022
• CVE-2021-27821The Web Interface for OpenWRT LuCI version 19.07 and lower has been discovered to have a cross-site scripting vulnerability which can lead to attackers carrying out arbitrary code execution.6.1May 25, 2021
• CVE-2020-10871In OpenWrt LuCI git-20.x, remote unauthenticated attackers can retrieve the list of installed packages and services. NOTE: the vendor disputes the significance of this report because, for instances...5.3Mar 23, 2020
• CVE-2019-12272In OpenWrt LuCI through 0.10, the endpoints admin/status/realtime/bandwidth_status and admin/status/realtime/wireless_status of the web application are affected by a command injection vulnerability.9.8May 23, 2019
• CVE-2014-3593Eval injection vulnerability in luci 0.26.0 allows remote authenticated users with certain permissions to execute arbitrary Python code via a crafted cluster configuration.6.0Oct 15, 2014
• CVE-2013-4482Untrusted search path vulnerability in python-paste-script (aka paster) in Luci 0.26.0, when started using the initscript, allows local users to gain privileges via a Trojan horse .egg-info file in...6.2Nov 23, 2013
• CVE-2013-4481Race condition in Luci 0.26.0 creates /var/lib/luci/etc/luci.ini with world-readable permissions before restricting the permissions, which allows local users to read the file and obtain sensitive i...1.9Nov 23, 2013
• CVE-2011-0720Unspecified vulnerability in Plone 2.5 through 4.0, as used in Conga, luci, and possibly other products, allows remote attackers to obtain administrative access, read or create arbitrary content, a...7.5Feb 3, 2011
• CVE-2010-3852The default configuration of Luci 0.22.4 and earlier in Red Hat Conga uses "[INSERT SECRET HERE]" as its secret key for cookies, which makes it easier for remote attackers to bypass repoze.who auth...6.4Nov 5, 2010