Reflected XSS Vulnerability in IPFire 2.21 Core Update 127
CVE-2019-25396

5.1MEDIUM

Key Information:

Vendor: Ipfire
Status: Ipfire
Vendor: CVE Published:; 18 February 2026

Badges

👾 Exploit Exists

What is CVE-2019-25396?

The IPFire 2.21 Core Update 127 version is vulnerable to a reflected cross-site scripting flaw in the updatexlrator.cgi script. This vulnerability allows attackers to inject malicious JavaScript code via manipulated POST requests targeting parameters like MAX_DISK_USAGE or MAX_DOWNLOAD_RATE. Successful exploitation enables threat actors to execute arbitrary scripts in the browsers of users interacting with the affected system, posing a significant security risk.

Affected Version(s)

IPFire IPFire 2.21 - Core Update 127

References

https://www.exploit-db.com/exploits/46344

exploit

https://www.ipfire.org

product

https://downloads.ipfire.org/releases/ipfire-2.x/2.21-cor...

patch

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Feb 18, 2026
👾
Exploit known to exist
Feb 18, 2026
Vulnerability published
Feb 18, 2026
Vulnerability Reserved
Feb 18, 2026

Credit

Ozer Goker

CVE-2019-25396 Data

JSON

Ipfire

Badges

What is CVE-2019-25396?

Affected Version(s)

References

CVSS V4

Timeline

Credit