CVE-2026-27504

Name of the Vulnerable Software and Affected Versions SVXportal versions prior to 2.5

Description SVXportal versions prior to 2.5 are affected by a reflected cross-site scripting issue in the radiomobile front.php file. The issue occurs due to the application embedding unsanitized data from the stationid query parameter into a hidden input value field when an authenticated administrator views a specially crafted URL. This allows for attacker-supplied script injection and execution within the administrator’s browser, potentially leading to compromised admin sessions or unauthorized actions performed with the administrator’s privileges. The vulnerable parameter is stationid.

Recommendations Update SVXportal to a version later than 2.5.