Vulnerability Description
SVXportal version 2.5 and prior contain a reflected cross-site scripting vulnerability in admin/log.php via the search query parameter. When an authenticated administrator views a crafted URL, the application embeds the unsanitized parameter value directly into an HTML input value attribute, allowing attacker-supplied JavaScript to execute in the administrator's browser. This can enable session theft, administrative action forgery, or other browser-based compromise in the context of an admin user.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Radioinorr | Svxportal | <= 2.5 |
Related Weaknesses (CWE)
References
- https://github.com/sa2blv/SVXportal/blob/master/admin/log.phpProduct
- https://www.vulncheck.com/advisories/svxportal-admin-log-php-search-reflected-xsThird Party Advisory
FAQ
What is CVE-2026-27503?
CVE-2026-27503 is a vulnerability with a CVSS score of 6.1 (MEDIUM). SVXportal version 2.5 and prior contain a reflected cross-site scripting vulnerability in admin/log.php via the search query parameter. When an authenticated administrator views a crafted URL, the app...
How severe is CVE-2026-27503?
CVE-2026-27503 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-27503?
Check the references section above for vendor advisories and patch information. Affected products include: Radioinorr Svxportal.