Vulnerability Description
SVXportal version 2.5 and prior contain a reflected cross-site scripting vulnerability in radiomobile_front.php via the stationid query parameter. When an authenticated administrator views a crafted URL, the application embeds the unsanitized parameter value into a hidden input value field, allowing attacker-supplied script injection and execution in the administrator's browser. This can be used to compromise admin sessions or perform unauthorized actions via the administrator's authenticated context.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Radioinorr | Svxportal | <= 2.5 |
Related Weaknesses (CWE)
References
- https://github.com/sa2blv/SVXportal/blob/master/radiomobile_front.phpProduct
- https://www.vulncheck.com/advisories/svxportal-radiomobile-front-php-stationid-rThird Party Advisory
FAQ
What is CVE-2026-27504?
CVE-2026-27504 is a vulnerability with a CVSS score of 6.1 (MEDIUM). SVXportal version 2.5 and prior contain a reflected cross-site scripting vulnerability in radiomobile_front.php via the stationid query parameter. When an authenticated administrator views a crafted U...
How severe is CVE-2026-27504?
CVE-2026-27504 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-27504?
Check the references section above for vendor advisories and patch information. Affected products include: Radioinorr Svxportal.