[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-CVE-2026-61876":6},{"stargazers_count":4,"fetched_at":5},7,"2026-07-12T12:27:57.653Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":44,"aliases":45,"duplicate_of":9,"upstream":46,"downstream":47,"duplicates":48,"related":49,"reserved_at":9,"published_at":50,"modified_at":50,"state":51,"summary":52,"references_raw":59,"kevs":70,"epss":9,"epss_history":71,"metrics":72,"affected":82},"CVE-2026-61876","LuCI versions fail to properly encode DHCPv6 lease hostnames before rendering in status tables, allowing adjacent network attackers to inject HTML markup. Attackers can send a DHCPv6 Client FQDN containing script tags that execute in the administrator's browser when viewing DHCP lease pages.",null,[11],{"_key":12,"id":12,"name":13,"description":14,"type":15,"status":16,"abstraction":17,"likelihood_of_exploit":18,"capec":19},"CWE-79","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.","weakness","Stable","Base","High",[20,24,28,32,36,40],{"id":21,"name":22,"techniques":23},"CAPEC-209","XSS Using MIME Type Mismatch",[],{"id":25,"name":26,"techniques":27},"CAPEC-588","DOM-Based XSS",[],{"id":29,"name":30,"techniques":31},"CAPEC-591","Reflected XSS",[],{"id":33,"name":34,"techniques":35},"CAPEC-592","Stored XSS",[],{"id":37,"name":38,"techniques":39},"CAPEC-63","Cross-Site Scripting (XSS)",[],{"id":41,"name":42,"techniques":43},"CAPEC-85","AJAX Footprinting",[],[],[],[],[],[],[],"2026-07-12T12:07:55.788Z","PUBLISHED",{"cisa_kev":53,"cisa_ransomware":53,"cisa_vendor":9,"epss_severity":9,"epss_score":9,"severity":54,"severity_score":55,"severity_version":56,"severity_source":57,"severity_vector":58,"severity_status":51},false,"critical",9.4,"v4.0","cve.org","CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",[60,65],{"url":61,"sources":62,"tags":63},"https://github.com/openwrt/luci/security/advisories/GHSA-686p-p8p9-x6fh",[57],[64],"Vendor Advisory",{"url":66,"sources":67,"tags":68},"https://www.vulncheck.com/advisories/luci-dhcpv6-lease-hostname-stored-cross-site-scripting",[57],[69],"Third Party Advisory",[],[],[73],{"source":57,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":74,"cvss_v4_0":80},{"baseScore":75,"baseSeverity":76,"vectorString":77,"impactScore":78,"exploitabilityScore":79},8.8,"HIGH","CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",10,5.4,{"baseScore":55,"baseSeverity":81,"vectorString":58,"impactScore":9,"exploitabilityScore":9},"CRITICAL",[]]