CVE-2026-27506

Name of the Vulnerable Software and Affected Versions SVXportal versions prior to 2.5

Description SVXportal versions prior to 2.5 are affected by a stored cross-site scripting issue in the user profile update workflow. An authenticated user can inject malicious HTML or JavaScript into fields like Firstname, lastname, email, and image url. This malicious content is stored and then rendered without proper output encoding in the administrator interface, specifically in the admin/users.php page. This can lead to JavaScript execution in an administrator’s browser when viewing the affected page. The vulnerable workflow involves user settings.php submitting data to admin/update user.php.

Recommendations Update SVXportal to version 2.5 or later.