CVE-2026-62948

CRITICALPre-NVD 9.69.6
EchelonGraph scoreLOW confidence

This critical-severity CVE scores 9.6 under a secondary CVSS source (NVD's own analysis pending). EPSS exploit-prediction score not yet available (the EPSS model rescores nightly; freshly-published CVEs typically appear within 48 hours). GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: secondary
Elevated
9.6
EchelonGraph verdictPlan a fixSerious severity, but no confirmed exploitation yet.
  • High severity, but no confirmed exploitation yet
CISA-KEV: Not listedEPSS: CVSS: 9.6Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

OpenWrt is a Linux operating system targeting embedded devices. Prior to 25.12.5, odhcpd writes a DHCPv6 client FQDN option 39 hostname into /tmp/odhcpd.leases through src/statefiles.c statefiles_write_state6() and statefiles_write_state4() without escaping, allowing newline injection of forged lease lines that LuCI rpcd-mod-luci getDHCPLeases displays through htdocs/luci-static/resources/view/status/include/40_dhcp.js and htdocs/luci-static/resources/luci.js dom.append as live HTML in the Active DHCPv6 Leases admin page. This vulnerability is fixed in 25.12.5.

CVSS v3
9.6
EG Score
9.6(low)
EPSS
KEV
Not listed

Published

July 15, 2026

Last Modified

July 15, 2026

Advisory Details (5)

Auto-updated Jul 15, 2026
🔬 Proof of concept available. Patch available. Sources: github_commit, github_pr, github_release, github.
github Patch Available🟡 PoC Available

odhcpd/LuCI: unauthenticated DHCPv6 client can inject lease-file lines via FQDN hostname → stored XSS in the LuCI admin UI · Advisory · openwrt/openwrt · GitHub

https://github.com/openwrt/openwrt/security/advisories/GHSA-hhmc-92hw-535f
github_release Patch Available

v25.12.5

Patch available: openwrt/openwrt v25.12.5

https://github.com/openwrt/openwrt/releases/tag/v25.12.5
github_pr

statefiles: escape client hostnames in the lease state file

Fix merged in openwrt/odhcpd PR #404 on 2026-06-27 — awaiting tagged release

https://github.com/openwrt/odhcpd/pull/404
github_commit

commit 68f382690bfa (openwrt/odhcpd)

Fix landed in openwrt/odhcpd commit 68f382690bfa — awaiting tagged release

https://github.com/openwrt/odhcpd/commit/68f382690bfaec56d5b1f31c3c31c48bcb642e3a
github_commit

commit 55379d04fcc3 (openwrt/luci)

Fix landed in openwrt/luci commit 55379d04fcc3 — awaiting tagged release

https://github.com/openwrt/luci/commit/55379d04fcc3c605003a5001d6135cf02ae6048a

Weakness Classification(3)

MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.

Data Freshness Timeline

(refreshed 3× in last 7d / 3× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-15 22:13 UTCEG score recompute
  2. 2026-07-15 17:54 UTCEG score recompute
  3. 2026-07-15 17:53 UTCMITRE cvelistV5first tracked

Frequently asked(4)

What is CVE-2026-62948?
CVE-2026-62948 is a critical vulnerability published on July 15, 2026. OpenWrt is a Linux operating system targeting embedded devices. Prior to 25.12.5, odhcpd writes a DHCPv6 client FQDN option 39 hostname into /tmp/odhcpd.leases through src/statefiles.c statefileswritestate6() and statefileswritestate4() without escaping, allowing newline injection of forged lease…
When was CVE-2026-62948 disclosed?
CVE-2026-62948 was first published in the National Vulnerability Database on July 15, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
What is the CVSS score of CVE-2026-62948?
CVE-2026-62948 has a CVSS v3 base score of 9.6 (NVD). The EG score is currently aggregating — additional source signals are being incorporated as they become available..
How do I remediate CVE-2026-62948?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-62948, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-62948

Explore →

Is Your Infrastructure Affected by CVE-2026-62948?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.