CVE-2026-27502
MEDIUMSVXportal < 2.5 - Reflected Cross-Site Scripting via log.php Search Parameter
Title source: llmDescription
SVXportal version 2.5 and prior contain a reflected cross-site scripting vulnerability in log.php via the search query parameter. The application embeds the unsanitized parameter value directly into an HTML input value attribute, allowing an unauthenticated remote attacker to inject and execute arbitrary JavaScript in a victim's browser if the victim visits a crafted URL. This can be used to steal session data, perform actions as the victim, or modify displayed content.
References (2)
Core 2
Core References
Various Sources product
https://github.com/sa2blv/SVXportal/blob/master/log.php
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/svxportal-log-php-search-reflected-xss
Scores
CVSS v3
6.1
EPSS
0.0006
EPSS Percentile
17.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (2)
radioinorr/svxportal
< 2.5
sa2blv/SVXportal
< 2.5
Published
Feb 20, 2026
Tracked Since
Feb 21, 2026