CVE-2026-27504 MEDIUM

CVE-2026-27504: SVXportal <= 2.5 radiomobile_front.php stationid Reflected XSS

Vendor Sa2Blv

Product SVXportal

Weakness CWE-79 · XSS

Published February 20, 2026

Last update May 11, 2026

View on NVD All CVEs

CVSS base score

5.1/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

SVXportal version 2.5 and prior contain a reflected cross-site scripting vulnerability in radiomobile_front.php via the stationid query parameter. When an authenticated administrator views a crafted URL, the application embeds the unsanitized parameter value into a hidden input value field, allowing attacker-supplied script injection and execution in the administrator's browser. This can be used to compromise admin sessions or perform unauthorized actions via the administrator's authenticated context.

Key dates

02Disclosure timeline

February 20, 2026 CVE published

May 11, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-27504

Related vulnerabilities

04Related CVE

CVE-2023-28850 Pimcore Perspective Editor vulnerable to Cross-site Scripting in perspective name CVE-2024-11227 Memberlite Shortcodes <= 1.3.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via memberlite_accordion Shortcode CVE-2024-7655 Community by PeepSo – Social Network, Membership, Registration, User Profiles <= 6.4.5.0 - Authenticated (Administrator+) Stored Cross-Site Scripting CVE-2024-13575 Web Stories Enhancer – Level Up Your Web Stories <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2024-0609 WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting <= 1.13.1 - Unauthenticated Stored Cross-Site Scripting