Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.1
SVXportal: Unauthenticated Script Injection in Admin Area
CVE-2026-27504
Summary
A security issue in SVXportal's admin area allows an attacker to inject malicious code into an authenticated administrator's browser. This could allow the attacker to take control of the admin session or perform unauthorized actions. Users should update to the latest version of SVXportal to fix this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| radioinorr | svxportal | <= 2.5 | – |
Original title
SVXportal version 2.5 and prior contain a reflected cross-site scripting vulnerability in radiomobile_front.php via the stationid query parameter. When an authenticated administrator views a crafte...
Original description
SVXportal version 2.5 and prior contain a reflected cross-site scripting vulnerability in radiomobile_front.php via the stationid query parameter. When an authenticated administrator views a crafted URL, the application embeds the unsanitized parameter value into a hidden input value field, allowing attacker-supplied script injection and execution in the administrator's browser. This can be used to compromise admin sessions or perform unauthorized actions via the administrator's authenticated context.
nvd CVSS3.1
6.1
nvd CVSS4.0
5.1
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
Published: 20 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026