CVE-2019-25400 MEDIUM

CVE-2019-25400: IPFire 2.21 Core Update 127 Multiple XSS via fwhosts.cgi

Vendor Ipfire
Product IPFire
Weakness CWE-79 · XSS
Published February 18, 2026
Last update May 24, 2026
View on NVD All CVEs

CVSS base score

4.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

IPFire 2.21 Core Update 127 contains multiple reflected cross-site scripting vulnerabilities in the fwhosts.cgi script that allow attackers to inject malicious scripts through multiple parameters including HOSTNAME, IP, SUBNET, NETREMARK, HOSTREMARK, newhost, grp_name, remark, SRV_NAME, SRV_PORT, SRVGRP_NAME, SRVGRP_REMARK, and updatesrvgrp. Attackers can submit POST requests with script payloads in these parameters to execute arbitrary JavaScript in the context of authenticated users' browsers.

Key dates

02Disclosure timeline

February 18, 2026 CVE published
May 24, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2023-0791 Cross-site Scripting (XSS) - Stored in thorsten/phpmyfaq CVE-2025-32586 WordPress ABA PayWay Payment Gateway for WooCommerce Plugin <= 2.1.4 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2025-11485 SourceCodester Student Grades Management System Manage Users admin.php add_user cross site scripting CVE-2024-12049 Woo Ukrposhta <= 1.17.11 - Reflected Cross-Site Scripting via order, post, and idd Parameters CVE-2023-3883 Campcodes Beauty Salon Management System add-category.php cross site scripting