The flaw lies in the article creation controller, which accepts a POST request without verifying a CSRF token. This permits an attacker to force a logged‑in user to submit an arbitrary article. When that article is stored and later rendered without sufficient output encoding, the payload executes as a script in the victim’s browser, enabling the attacker to hijack the account and perform arbitrary actions such as modifying content or resetting credentials. The combination of a request forgery with a storage vulnerability results in a direct account takeover path.

The vulnerability affects Emlog version 2.5.23, specifically the Pro build as identified by the associated CPE string. Users running this exact version without the optional CSRF guard or input sanitization are exposed.

The CVSS v3 base score of 7.0 classifies the flaw as high severity, while the EPSS score of less than 1% indicates that publicly observed exploitation attempts are extremely rare. However, the attack requires the victim to be authenticated and to visit a crafted page, a scenario that is feasible for attackers with social engineering or click‑through malware capabilities. The flaw is not listed in the current KEV catalog, suggesting no widespread active exploitation at present. Nonetheless the risk of exploitation remains due to the simplicity of the trigger and the potentially severe consequences.