CVE-2026-62184

Source
https://cve.org/CVERecord?id=CVE-2026-62184
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-62184.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-62184
Aliases
  • GHSA-r6hx-4f83-vp8m
Published
2026-07-13T21:30:09.248Z
Modified
2026-07-17T03:41:42.061173451Z
Severity
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
luci-app-banip Log Monitor IP Extraction Bypass
Details

luci-app-banip contains a log parsing vulnerability where the awk-based parser extracts the first IPv4 address from log lines regardless of field position, allowing attackers to inject arbitrary IPs via attacker-controlled fields like usernames. An unauthenticated remote attacker can inject an IP address into the login username field, causing banIP to block the wrong target while the real attacker remains unblocked.

Database specific
{
    "cwe_ids": [
        "CWE-116"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/62xxx/CVE-2026-62184.json",
    "cna_assigner": "VulnCheck"
}
References

Affected packages

Git / github.com/openwrt/luci

Affected ranges

Type
GIT
Repo
https://github.com/openwrt/luci
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "0.11.1"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ]
}

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-62184.json"