Security advisories

This page lists vulnerabilities affecting components directly maintained by the OpenWrt project. Issues in third-party components are backported into the supported releases when they apply, but are not enumerated here — see the upstream projects for those.

Additional advisories are published as GitHub Security Advisories on individual project repositories under github.com/openwrt (notably openwrt/asu and other components hosted there). When an issue is disclosed via the GitHub Security Advisory workflow rather than the wiki, it is linked here once published — but the GitHub repository pages are the authoritative source for those.

For the project’s overall security policy and how to report a vulnerability, see Security.

Date	CVE	Summary
2025-12-16	CVE-2025-14282	Dropbear privilege escalation via Unix domain socket forwarding
2025-10-22	CVE-2025-62526	ubusd: heap buffer overflow
2025-10-22	CVE-2025-62525	ltq-ptm: local privilege escalation
2024-12-06	CVE-2024-54143	OpenWrt Attended SysUpgrade server: Build artifact poisoning via truncated SHA-256 hash and command injection
2022-10-17	CVE-2022-41674, CVE-2022-42719, CVE-2022-42720, CVE-2022-42721, CVE-2022-42722	Multiple issues in mac80211 and cfg80211
2022-10-04	CVE-2022-39173	wolfSSL buffer overflow during a TLS 1.3 handshake
2021-08-01	CVE-2021-32019	XSS via missing input validation of host names displayed
2021-08-01	CVE-2021-33425	Stored XSS in hostname UCI variable
2021-08-01	CVE-2021-28961	luci-app-ddns: Multiple authenticated RCEs
2021-02-02	CVE-2020-36177	wolfSSL heap buffer overflow in RsaPad_PSS
2021-02-02	CVE-2021-22161	netifd and odhcp6c routing loop on IPv6 point to point links
2021-01-19	CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25684, CVE-2020-25685, CVE-2020-25686, CVE-2020-25687	dnsmasq multiple vulnerabilities
2021-01-17	—	OpenWrt forum break-in on 16-Jan-2021
2020-12-09	CVE-2020-25705	Linux kernel - ICMP rate limiting can be used to facilitate DNS poisoning attack
2020-12-09	CVE-2020-28951	libuci import heap use after free
2020-05-06	CVE-2020-11750	umdns out-of-bounds reads of heap data and possible buffer overflow
2020-05-06	CVE-2020-11752	relayd out-of-bounds reads of heap data and possible buffer overflow
2020-02-21	CVE-2020-8597	ppp buffer overflow vulnerability
2020-01-31	CVE-2020-7982	Opkg susceptible to MITM
2020-01-31	CVE-2020-7248	libubox tagged binary data JSON serialization vulnerability
2020-01-13	CVE-2019-19945	uhttpd invalid data access via HTTP POST request
2019-11-05	CVE-2019-5101, CVE-2019-5102	ustream-ssl information disclosure
2019-11-05	—	LuCI stored XSS
2019-11-05	CVE-2019-17367	LuCI CSRF vulnerability