Flint 2 OP24-4.9.0 is looking very old and risky given this:
Security fixes
This release fixes several remotely triggerable vulnerabilities in
core network services that are enabled by default. Updating is strongly
recommended.
-
odhcpd (DHCPv6/DHCPv4/RA server, enabled by default): multiple vulnerabilities reachable by a network-adjacent attacker were fixed by updating odhcpd:
-
CVE-2026-53921 (Critical): stack buffer overflow in the DHCPv6 IA reply serialization, triggerable with crafted DHCPv6 REQUEST packets. https://github.com/openwrt/odhcpd/security/advisories/GHSA-7fwx-hhrg-3496
-
CVE-2026-53918 (High): use-after-free in the DHCPv6 IA handler. https://github.com/openwrt/odhcpd/security/advisories/GHSA-44ff-jcwh-wgc2
-
CVE-2026-53920 (High): stack memory disclosure via a truncated DHCPv6 IA_NA/IA_PD option. https://github.com/openwrt/odhcpd/security/advisories/GHSA-p769-5v73-pc4f
-
CVE-2026-53922 (Moderate): pre-auth denial of service via a size_t underflow in DHCPv6 IA handling. https://github.com/openwrt/odhcpd/security/advisories/GHSA-7hcw-g2jh-pqv5
-
CVE-2026-55606 (Moderate): stack buffer overread caused by a DUID length endianness mismatch. https://github.com/openwrt/odhcpd/security/advisories/GHSA-x8x4-7gvf-gp45
-
No CVE assigned (Moderate, CVSS 5.4): the NDP relay
accepted IPv6 Neighbor Solicitations with a hop limit other than 255
(RFC 4861 violation), letting an off-link attacker spoof NS packets
through the relay (neighbor-cache poisoning, traffic redirection or
DoS). Only relevant when the NDP relay is enabled. https://github.com/openwrt/odhcpd/security/advisories/GHSA-qvg7-9jf5-wgjc
-
-
odhcpd / LuCI stored XSS (Critical): an
unauthenticated DHCPv6 client could inject lease-file lines through a
crafted FQDN hostname, resulting in stored cross-site scripting on the
LuCI DHCPv6 leases status page. Fixed by escaping client hostnames in
the lease state file. https://github.com/openwrt/openwrt/security/advisories/GHSA-hhmc-92hw-535f -
uhttpd (web server): three HTTP request smuggling issues on keep-alive connections were fixed:
-
CVE-2026-55612 (High): invalid chunk-length state reset. https://github.com/openwrt/uhttpd/security/advisories/GHSA-p55c-rmhc-qfm5
-
CVE-2026-55614 (High): case-sensitive Transfer-Encoding matching. https://github.com/openwrt/uhttpd/security/advisories/GHSA-mcfg-c4r7-pjpf
-
CVE-2026-55613 (Moderate): ubus POST body parse-error desync. https://github.com/openwrt/uhttpd/security/advisories/GHSA-wgwp-64hh-f52p
-
-
cgi-io: ACL bypass / arbitrary file read
(Moderate): a path-traversal flaw in the cgi-download handler let an
authenticated user with wildcard read permission read any root-readable
file (e.g./etc/shadow). https://github.com/openwrt/openwrt/security/advisories/GHSA-jw5r-xhf5-2xcq -
LuCI (web interface): a set of issues in LuCI core
modules and applications were fixed. Most let a logged-in user with
limited (delegated) permissions escalate to root command execution; a
few are stored XSS issues reachable by clients on the network. The
privilege-escalation issues only apply if the affected app is installed
and the account/ACL in question exists:-
luci-app-tailscale-community (Critical, CVSS 9.9): command injection allowing delegated users to run commands as root via
tailscale.do_login. https://github.com/openwrt/luci/security/advisories/GHSA-xwc5-mx58-rh35 -
luci-app-advanced-reboot (High): CVE-2026-55897 — a read ACL exposes
/bin/shviafile.exec, allowing delegated users to run commands as root. https://github.com/openwrt/luci/security/advisories/GHSA-vj96-f37g-37f6 -
luci-app-adblock-fast (High): CVE-2026-55159 — delegated users can reach root command execution via newline-separated cron entries. https://github.com/openwrt/luci/security/advisories/GHSA-ggpf-xrph-wg5v
-
luci-app-samba4 (High): a read ACL allows authenticated root command execution via the smbd
file.execpermission. https://github.com/openwrt/luci/security/advisories/GHSA-vx64-mmp7-h36c -
luci-app-travelmate (High): a delegated UCI write can execute the travelmate auto-login command as root. https://github.com/openwrt/luci/security/advisories/GHSA-p35r-3323-6g7g
-
luci-app-upnp (High): stored XSS — an unauthenticated LAN client can inject JavaScript via a UPnP port-mapping description. https://github.com/openwrt/luci/security/advisories/GHSA-8v49-6387-7f89
-
luci-mod-network / luci-mod-status (High): stored XSS via a DHCPv6 lease hostname (FQDN) shown in the status tables. https://github.com/openwrt/luci/security/advisories/GHSA-686p-p8p9-x6fh
-
luci-app-banip (High): a crafted LuCI login
username can inject an arbitrary IP into banIP's log parser, causing the
wrong address to be blocked. https://github.com/openwrt/luci/security/advisories/GHSA-r6hx-4f83-vp8m
-
-
ead (Emergency Access Daemon): CVE-2026-55490 (Moderate): an integer underflow in
handle_send_a()allowed a pre-auth denial of service. https://github.com/openwrt/openwrt/security/advisories/GHSA-9558-77jp-g3fw -
Linux kernel: update to 6.12.94, pulling in the
upstream 6.12.88 through 6.12.94 stable releases, which fix multiple
security vulnerabilities, such as CVE-2026-43500. -
OpenSSL: update to 3.5.7, fixing multiple security
vulnerabilities (CVE-2026-7383, CVE-2026-9076, CVE-2026-34180,
CVE-2026-34181, CVE-2026-34182, CVE-2026-34183, CVE-2026-42764,
CVE-2026-42766, CVE-2026-42767, CVE-2026-42768, CVE-2026-42769,
CVE-2026-42770, CVE-2026-45445, CVE-2026-45446, CVE-2026-45447). -
musl libc: backport upstream fixes for CVE-2026-6042 and CVE-2026-40200.
-
dropbear (SSH): backport security fixes from
upstream 2026.90 and 2026.91, including CVE-2019-6111 (a malicious
server could trick the scp client into overwriting arbitrary local
files) and CVE-2026-35385.
Beyond the issues listed above, this release fixes a number of
further security problems for which no CVE number or dedicated advisory
was assigned. We strongly recommend upgrading
That’s an enormous number of vulnerabilities that GL-inet Flint 2 potentially exposes its users to.
When will Flint 2 get an update that is actually up to date with 25.12.5?