CVE-2026-27506
Stored XSS in SVXportal User Profile Allows Admin Browser Exploit
Publication date: 2026-02-20
Last updated on: 2026-02-23
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| radioinorr | svxportal | to 2.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-27506 is a stored cross-site scripting (XSS) vulnerability in SVXportal version 2.5 and earlier. It occurs in the user profile update workflow where authenticated users can inject malicious HTML or JavaScript code into profile fields such as Firstname, Lastname, Email, and Image URL. This malicious content is stored and later displayed without proper output encoding in the administrator interface, causing the injected JavaScript to execute in the administrator's browser when they view the affected page."}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This vulnerability can allow an attacker with authenticated user access to execute arbitrary JavaScript code in an administrator's browser. This can lead to compromise of administrative control, potentially allowing the attacker to perform unauthorized actions, steal sensitive information, or manipulate the application through the administrator's session. The impact includes limited confidentiality and integrity risks but does not affect availability."}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking for malicious HTML or JavaScript code injected into user profile fields such as Firstname, Lastname, Email, and Image URL in SVXportal version 2.5 and prior.'}, {'type': 'paragraph', 'content': 'Since the vulnerability involves stored cross-site scripting in the user profile update workflow, detection involves inspecting the database or user profile data for suspicious script tags or HTML content.'}, {'type': 'paragraph', 'content': 'Commands to detect this might include querying the database for suspicious patterns. For example, if using MySQL, you could run queries like:'}, {'type': 'list_item', 'content': "SELECT * FROM users WHERE firstname LIKE '%<script>%';"}, {'type': 'list_item', 'content': "SELECT * FROM users WHERE lastname LIKE '%<script>%';"}, {'type': 'list_item', 'content': "SELECT * FROM users WHERE email LIKE '%<script>%';"}, {'type': 'list_item', 'content': "SELECT * FROM users WHERE image_url LIKE '%<script>%';"}, {'type': 'paragraph', 'content': 'Additionally, monitoring HTTP requests to user_settings.php and admin/update_user.php for suspicious input patterns or unexpected HTML/JavaScript payloads can help detect exploitation attempts.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the affected SVXportal version 2.5 and prior, especially limiting authenticated user permissions to update profile fields.
Administrators should avoid viewing the user management interface (admin/users.php) until the vulnerability is addressed to prevent JavaScript execution in their browsers.
Implement input validation and output encoding on user profile fields to prevent malicious HTML or JavaScript from being stored or rendered.
If possible, update SVXportal to a version that patches this vulnerability or apply available security patches.
As a temporary measure, sanitize existing user profile data in the database by removing or escaping malicious scripts.