Lately, I’ve been experimenting with unusual XSS vectors. XSS (cross-site scripting) allows an attacker to execute arbitrary JavaScript in another …

Lobsters is a community-driven platform for sharing and discussing links to articles, tutorials, and projects related to technology and programming. Readers can learn about a wide range of topics, from software development and system administration to cybersecurity and artificial intelligence. With user submissions, comments, and voting, Lobsters provides a platform for collaborative learning and knowledge sharing among technology enthusiasts.

Lobsters

A crafted WiFi SSID can trigger an XSS vulnerability in OpenWRT's LuCI web interface when an administrator opens the wireless scan page. The vulnerability exists in wireless.js within luci-mod-network, where SSID values are passed unsanitized into innerHTML. Using two access points simultaneously to overcome the 32-byte SSID length limit, an attacker can load arbitrary JavaScript in the admin session. The injected script then uses the ubus API to plant an SSH public key and enable gateway ports, resulting in persistent root SSH access with no visible indication to the admin. The fix replaces innerHTML with safe text node insertion and is available in OpenWrt 24.10.6 and 25.12.1. The attack requires no credentials and no interaction beyond the admin opening the scan page while malicious SSIDs are in range.

Root from the parking lot: OpenWRT XSS through SSID scanning (CVE-2026-32721)