Login Sign Up

CVE-2026-27504

6.1 MEDIUM
Cross-Site Scripting

📋 TL;DR

SVXportal versions 2.5 and earlier contain a reflected cross-site scripting vulnerability in the radiomobile_front.php file via the stationid parameter. This allows attackers to inject malicious scripts that execute in authenticated administrators' browsers when they view crafted URLs. The vulnerability affects administrators who use vulnerable SVXportal installations.

💻 Affected Systems

Products:
  • SVXportal
Versions: 2.5 and prior
Operating Systems: Any OS running SVXportal
Default Config Vulnerable: ⚠️ Yes
Notes: Requires administrator authentication for exploitation; affects radiomobile_front.php specifically.

📦 What is this software?

Svxportal by Radioinorr

View all CVEs affecting Svxportal →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of administrator accounts leading to full system takeover, data theft, or deployment of backdoors.

🟠

Likely Case

Session hijacking allowing unauthorized administrative actions, configuration changes, or privilege escalation.

🟢

If Mitigated

Limited impact with proper input validation and output encoding preventing script execution.

🌐 Internet-Facing: HIGH - Publicly accessible admin interfaces allow remote exploitation via phishing or malicious links.
🏢 Internal Only: MEDIUM - Requires internal network access or social engineering to deliver malicious URLs.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires administrator to click malicious link; proof-of-concept available in public references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Implement workarounds or manually sanitize input in radiomobile_front.php.

🔧 Temporary Workarounds

Input Validation and Output Encoding

all

Manually sanitize stationid parameter in radiomobile_front.php to prevent XSS

Edit radiomobile_front.php and apply htmlspecialchars() or similar encoding to stationid parameter before output

Web Application Firewall (WAF) Rules

all

Deploy WAF rules to block XSS patterns in stationid parameter

Configure WAF to detect and block <script>, javascript:, and other XSS patterns in query strings

🧯 If You Can't Patch

  • Restrict access to admin interface using network segmentation or IP whitelisting
  • Implement Content Security Policy (CSP) headers to mitigate script injection impact

🔍 How to Verify

Check if Vulnerable:

Test by accessing radiomobile_front.php?stationid=<script>alert('XSS')</script> as admin and check if script executes

Check Version:

Check SVXportal version in configuration files or admin interface

Verify Fix Applied:

Verify that script tags in stationid parameter are properly encoded in HTML output

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests to radiomobile_front.php with script patterns in stationid parameter
  • Unusual admin session activities

Network Indicators:

  • HTTP traffic containing XSS payloads in stationid parameter

SIEM Query:

source="web_logs" AND uri="*radiomobile_front.php*" AND query="*stationid=*script*"

📊 Metadata

CVE ID: CVE-2026-27504
CVSS v3 Score: 6.1 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
Published: February 20, 2026
Last Updated: February 23, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-27504, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)