Privilege escalation in Openwrt

CVE-2026-30874

OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to 24.10.6, a vulnerability in the hotplug_call function allows an attacker to bypass environment variable filtering and inject an arbitrary PATH var…

EPSS: 0.000 (2.0th percentile) — read the EPSS interpretation.

Affected products

Openwrt — versions < 24.10.6

Weakness classification (CWE)

References

https://github.com/openwrt/openwrt/security/advisories/GHSA-jw28-hxcm-j934 (x_refsource_CONFIRM)
https://github.com/openwrt/procd/commit/e08cdc8562f55b9ac228a21f3f7605a18c522b81 (x_refsource_MISC)