PatchSiren

sa2blv CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM sa2blv CVE published 2026-02-20

CVE-2026-27506

CVE-2026-27506 is a stored cross-site scripting (XSS) vulnerability in SVXportal version 2.5 and prior. The vulnerability exists in the user profile update workflow, specifically in the user_settings.php file submitting to admin/update_user.php. An authenticated user can store malicious HTML/JavaScript in fields such as Firstname, lastname, email, and image_url. These fields are later rendered without ade [truncated]

MEDIUM sa2blv CVE published 2026-02-20

CVE-2026-27505

CVE-2026-27505 is a stored cross-site scripting vulnerability in SVXportal version 2.5 and prior. The vulnerability exists in the user registration workflow, specifically in the index.php file submitting to admin/user_action.php. User-supplied fields such as Firstname, lastname, and email are stored in the backend database without adequate output encoding and are later rendered in the administrator interf [truncated]

MEDIUM sa2blv CVE published 2026-02-20

CVE-2026-27504

CVE-2026-27504 is a reflected cross-site scripting vulnerability in SVXportal version 2.5 and prior. The vulnerability exists in the radiomobile_front.php file via the stationid query parameter. When an authenticated administrator views a crafted URL, the application embeds the unsanitized parameter value into a hidden input value field, allowing attacker-supplied script injection and execution in the adm [truncated]

MEDIUM sa2blv CVE published 2026-02-20

CVE-2026-27503

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-02-20T17:25:56.920Z and has not been modified since then. This vulnerability exists in SVXportal version 2.5 and prior, allowing an attacker to inject malicious JavaScript code via the search query parameter in admin/log.php. When an authenticated administrator views a crafted URL, the application embe [truncated]

MEDIUM sa2blv CVE published 2026-02-20

CVE-2026-27502

CVE-2026-27502 is a reflected cross-site scripting vulnerability in SVXportal version 2.5 and prior. The vulnerability is located in log.php and is triggered by the search query parameter. The application embeds the unsanitized parameter value directly into an HTML input value attribute, allowing an unauthenticated remote attacker to inject and execute arbitrary JavaScript in a victim's browser if the vic [truncated]