关键信息 漏洞名称: SVXportal <= 2.5 admin/update_user.php Stored XSS 严重性: Medium 日期: 2/20/2026 受影响的软件: SVXportal <= 2.5 CVE ID: CVE-2026-27506 CVE 详细描述: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') CVSS 分数: 4.0 CVSS 向量: AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N 参考链接: SVXportal Vulnerable Path 漏洞描述 SVXportal version 2.5 and prior contain a stored cross-site scripting vulnerability in the user profile update workflow (user_settings.php submitting to admin/update_user.php). Authenticated users can store malicious HTML/JavaScript in fields such as Firstname, lastname, email, and image_url, which are later rendered without adequate output encoding in the administrator interface (admin/users.php), resulting in JavaScript execution in an administrator's browser when the affected page is viewed. 归功于 phllopentest