CVE-2019-25396 MEDIUM

CVE-2019-25396: IPFire 2.21 Core Update 127 Reflected XSS via updatexlrator.cgi

Vendor Ipfire
Product IPFire
Weakness CWE-79 · XSS
Published February 18, 2026
Last update May 24, 2026

CVSS base score

5.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

IPFire 2.21 Core Update 127 contains a reflected cross-site scripting vulnerability in the updatexlrator.cgi script that allows attackers to inject malicious scripts through POST parameters. Attackers can submit crafted requests with script payloads in the MAX_DISK_USAGE or MAX_DOWNLOAD_RATE parameters to execute arbitrary JavaScript in users' browsers.

Key dates

02Disclosure timeline

February 18, 2026 CVE published
May 24, 2026 Record updated