CVE-2026-27505 MEDIUM

CVE-2026-27505: SVXportal <= 2.5 admin/user_action.php Stored XSS

Vendor Sa2Blv

Product SVXportal

Weakness CWE-79 · XSS

Published February 20, 2026

Last update May 11, 2026

View on NVD All CVEs

CVSS base score

5.1/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

SVXportal version 2.5 and prior contain a stored cross-site scripting vulnerability in the user registration workflow (index.php submitting to admin/user_action.php). User-supplied fields such as Firstname, lastname, and email are stored in the backend database without adequate output encoding and are later rendered in the administrator interface (admin/users.php), allowing an unauthenticated remote attacker to inject arbitrary JavaScript that executes in an administrator's browser upon viewing the affected page.

Key dates

02Disclosure timeline

February 20, 2026 CVE published

May 11, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-27505

Related vulnerabilities

CVE-2026-27505: SVXportal <= 2.5 admin/user_action.php Stored XSS

01Description

02Disclosure timeline

03References

04Related CVE