CVE-2026-27504 is a reflected cross-site scripting vulnerability classified under CWE-79 affecting SVXportal, an open-source portal software used primarily in amateur radio and communication communities. The flaw exists in the radiomobile_front.php script where the stationid query parameter is not properly sanitized before being embedded into a hidden input field on a web page. When an authenticated administrator visits a maliciously crafted URL containing JavaScript code within the stationid parameter, the script executes in the administrator's browser context. This can lead to session hijacking, unauthorized command execution, or privilege escalation within the administrative interface. The vulnerability does not require the attacker to have any privileges or authentication, but it does require the administrator to click or visit the malicious URL, making user interaction necessary. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, user interaction required, and limited scope impact. No patches or official fixes have been published yet, and no known exploits are currently active in the wild. However, the vulnerability poses a medium risk due to the sensitive nature of administrative access and potential for abuse if exploited.

If exploited, this vulnerability allows attackers to execute arbitrary scripts in the context of an authenticated administrator's browser session. This can lead to theft of session cookies, enabling attackers to impersonate administrators and gain full control over the SVXportal instance. Unauthorized actions such as modifying configurations, accessing sensitive data, or disrupting services could be performed. The impact extends to the confidentiality, integrity, and availability of the affected system. Organizations relying on SVXportal for critical communication infrastructure or administrative functions could face operational disruptions, data breaches, or unauthorized system changes. The requirement for user interaction (administrator visiting a malicious URL) somewhat limits the attack surface but does not eliminate the risk, especially in environments where administrators may be targeted via phishing or social engineering. The absence of known exploits in the wild reduces immediate risk but does not preclude future attacks.

1. Implement strict input validation and output encoding on the stationid query parameter to ensure all user-supplied data is properly sanitized before rendering in HTML contexts, particularly within hidden input fields. 2. Apply Content Security Policy (CSP) headers to restrict the execution of inline scripts and reduce the impact of potential XSS payloads. 3. Restrict access to the administrative interface by IP whitelisting, VPNs, or multi-factor authentication to reduce exposure to malicious URLs. 4. Educate administrators about phishing and social engineering risks to prevent inadvertent clicking on malicious links. 5. Monitor web server logs and application behavior for unusual requests or signs of attempted exploitation. 6. Stay updated with vendor advisories for patches or official fixes and apply them promptly once available. 7. Consider deploying web application firewalls (WAFs) with rules to detect and block reflected XSS attempts targeting the stationid parameter.