CVE-2026-27505

Name of the Vulnerable Software and Affected Versions SVXportal versions prior to 2.5

Description The software contains a stored cross-site scripting issue in the user registration process. The index.php page submits data to the admin/user action.php endpoint. User-provided data, including the Firstname, lastname, and email fields, is saved to the backend database without proper output encoding. This data is then displayed in the administrator interface via the admin/users.php page, enabling an unauthenticated remote attacker to inject and execute arbitrary JavaScript code within an administrator’s browser.

Recommendations Update to a version later than 2.5.