Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.1
SVXportal: Unauthenticated JavaScript Injection via Log Search
CVE-2026-27502
Summary
SVXportal versions 2.5 and earlier have a security flaw. An attacker can trick a user into visiting a malicious URL, allowing the attacker to execute arbitrary JavaScript code in the user's browser. This could allow the attacker to steal sensitive information or take control of the user's account. Update to the latest version of SVXportal to fix this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| radioinorr | svxportal | <= 2.5 | – |
Original title
SVXportal version 2.5 and prior contain a reflected cross-site scripting vulnerability in log.php via the search query parameter. The application embeds the unsanitized parameter value directly int...
Original description
SVXportal version 2.5 and prior contain a reflected cross-site scripting vulnerability in log.php via the search query parameter. The application embeds the unsanitized parameter value directly into an HTML input value attribute, allowing an unauthenticated remote attacker to inject and execute arbitrary JavaScript in a victim's browser if the victim visits a crafted URL. This can be used to steal session data, perform actions as the victim, or modify displayed content.
nvd CVSS3.1
6.1
nvd CVSS4.0
5.1
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
Published: 20 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026