Description
Emlog is an open source website building system. In version 2.5.23, the admin can set controls which makes users unable to edit or delete their articles after publishing them. As of time of publication, no known patched versions are available.
Published: 2026-01-02
Score: 2 Low
EPSS: < 1% Very Low
KEV: No
Impact: Broken Access Control
Action: Assess Impact
AI Analysis

Impact

Emlog, a website building system, includes a configuration option that allows an administrator to set a control which blocks users from editing or deleting their articles after the articles have been published. This restriction is enforced through the application’s access control logic and is identified as a Broken Access Control weakness (CWE-862). The result is that legitimate users lose the ability to modify or remove their own content, compromising user experience and potentially violating data integrity expectations. The vulnerability does not allow an attacker to gain higher privileges or execute arbitrary code, but it does limit correct functionality for authenticated users.

Affected Systems

The affected product is Emlog version 2.5.23, as identified by the vendor "emlog:emlog". No other product versions are listed as impacted.

Risk and Exploitability

The CVSS base score is 2.0, indicating low severity, and the estimated Exploit Probability is less than 1 %, with no current listing in the CISA Known Exploited Vulnerabilities catalog. The vulnerability is a logical error in the application’s permission checks and is not exploitable by an unauthenticated attacker. The attack vector is limited to actions performed within the application’s administrative interface, requiring administrator authorization. Overall, the risk is low but the issue affects legitimate users’ ability to manage their content.

Generated by OpenCVE AI on April 18, 2026 at 08:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Restrict or disable the admin configuration that blocks post editing and deletion for users
  • Audit application logs to ensure no unauthorized changes are made to the control settings
  • Apply a vendor patch or update to a version that removes the faulty control when available

Generated by OpenCVE AI on April 18, 2026 at 08:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 16 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:emlog:emlog:2.5.23:*:*:*:pro:*:*:*
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Mon, 05 Jan 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Emlog
Emlog emlog
Vendors & Products Emlog
Emlog emlog

Fri, 02 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 02 Jan 2026 17:45:00 +0000

Type Values Removed Values Added
Description Emlog is an open source website building system. In version 2.5.23, the admin can set controls which makes users unable to edit or delete their articles after publishing them. As of time of publication, no known patched versions are available.
Title Emlog has Broken Access Control (BAC)
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Emlog Emlog
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-02T21:05:56.458Z

Reserved: 2025-12-29T03:00:29.274Z

Link: CVE-2026-21429

cve-icon Vulnrichment

Updated: 2026-01-02T21:05:52.768Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-02T18:15:55.110

Modified: 2026-01-16T17:11:08.020

Link: CVE-2026-21429

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T08:45:41Z

Weaknesses