CVE-2026-27502

EPSS 0.05%
Veröffentlicht 20.02.2026 16:48:24
Zuletzt bearbeitet 23.02.2026 13:59:18
Quelle disclosure@vulncheck.com
CVE-Watchlists
Login
Unerledigt
Login

SVXportal version 2.5 and prior contain a reflected cross-site scripting vulnerability in log.php via the search query parameter. The application embeds the unsanitized parameter value directly into an HTML input value attribute, allowing an unauthenticated remote attacker to inject and execute arbitrary JavaScript in a victim's browser if the victim visits a crafted URL. This can be used to steal session data, perform actions as the victim, or modify displayed content.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Radioinorr ≫ Svxportal Version <= 2.5

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.05%	0.137

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
disclosure@vulncheck.com	5.1	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
disclosure@vulncheck.com	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://github.com/sa2blv/SVXportal/blob/master/log.php

Product

https://www.vulncheck.com/advisories/svxportal-log-php-search-reflected-xss

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-27502

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-27502

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-27502

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-27502