Unrated severityNVD Advisory· Published Feb 18, 2026· Updated Mar 5, 2026

IPFire 2.21 Core Update 127 Stored XSS via extrahd.cgi

CVE-2019-25399

Description

IPFire 2.21 Core Update 127 contains multiple stored cross-site scripting vulnerabilities in the extrahd.cgi script that allow attackers to inject malicious scripts through the FS, PATH, and UUID parameters. Attackers can submit POST requests with script payloads in these parameters to execute arbitrary JavaScript in the context of authenticated administrator sessions.

Affected products

Ipfire/Ipfirev5
Range: IPFire 2.21 - Core Update 127

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

downloads.ipfire.org/releases/ipfire-2.x/2.21-core127/ipfire-2.21.x86_64-full-core127.isomitrepatch
www.exploit-db.com/exploits/46344mitreexploit
www.vulncheck.com/advisories/ipfire-core-update-stored-xss-via-extrahdcgimitrethird-party-advisory
www.ipfire.orgmitreproduct

News mentions

Week in review: High-severity LPE vulnerability in the Linux kernel, cPanel 0-day exploited for months
Help Net Security · May 3, 2026

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000