CVE-2026-27502
MediumCVSS 6.1Exploitation Probability (EPSS)
Low risk10th percentile - higher than 10% of all known CVEs
Summary
SVXportal version 2.5 and prior contain a reflected cross-site scripting vulnerability in log.php via the search query parameter. The application embeds the unsanitized parameter value directly into an HTML input value attribute, allowing an unauthenticated remote attacker to inject and execute arbitrary JavaScript in a victim's browser if the victim visits a crafted URL.
Risk Assessment
The risk for the organization includes theft of user session data, performing actions on behalf of the victim, and modifying displayed content, potentially leading to confidentiality and integrity breaches.
Recommendation
Immediately update SVXportal to a version newer than 2.5, or if not available, apply input validation and output encoding for the search parameter in log.php.
Original NVD description (English source)
SVXportal version 2.5 and prior contain a reflected cross-site scripting vulnerability in log.php via the search query parameter. The application embeds the unsanitized parameter value directly into an HTML input value attribute, allowing an unauthenticated remote attacker to inject and execute arbitrary JavaScript in a victim's browser if the victim visits a crafted URL. This can be used to steal session data, perform actions as the victim, or modify displayed content.

