Coordination notice: private security reports submitted via GitHub advisories
ctf_0x01 at foxmail.com
ctf_0x01 at foxmail.com
Fri Jun 12 01:06:41 PDT 2026
Hello OpenWrt administrators,
I submitted several private security reports through GitHub Security Advisories for openwrt/openwrt, and I also tried to notify contact at openwrt.org. That message appears to be delayed or not deliverable from my mailbox, so I am sending this brief coordination notice here as suggested by the OpenWrt security documentation.
The reports concern multiple issues in OpenWrt official package/feed components. The overall severity ranges from moderate to high. The findings include authenticated root command execution through delegated LuCI/rpcd permissions, a USB hotplug root command execution issue, and a stable-branch backport gap for a command-injection fix.
I have intentionally not included technical exploit details or PoC material in this public email. The full details, affected source paths, harmless PoC packages, tested versions, and suggested fixes are already included in the private GitHub security advisories.
Could you please let me know whether the OpenWrt security team can access these GitHub advisories, or whether you prefer another private channel for coordination?
Best regards,
ZwCrazyThursday
--------------
ctf_0x01 at foxmail.com
More information about the openwrt-adm
mailing list