Description
Emlog is an open source website building system. Version 2.5.23 has a stored cross-site scripting vulnerability in the `Resource media library ` function while publishing an article. As of time of publication, no known patched versions are available.
Published: 2026-01-02
Score: 2 Low
EPSS: < 1% Very Low
KEV: No
Impact: Stored cross-site scripting
Action: Assess Impact
AI Analysis

Impact

The vulnerability occurs when a user publishes an article using the Resource media library feature. The image name field is not properly sanitized, allowing an attacker to embed malicious JavaScript that is stored and later rendered in the article page. This leads to client‑side code execution in the browsers of anyone who views the affected article, potentially resulting in session hijacking, defacement, or phishing attempts. The weakness matches CWE‑79, a classic stored cross‑site scripting flaw.

Affected Systems

The affected product is emlog version 2.5.23, an open‑source website building system. No other versions or vendors are cited as affected and no patched releases are listed as available at the time of this advisory.

Risk and Exploitability

The CVSS base score is 2, indicating low severity, and the EPSS is below 1%, meaning exploitation is considered rare. The vulnerability is not in the CISA KEV catalog, and no public exploits are currently known. The likely attack vector involves a legitimate article publisher submitting a crafted image name via the web interface, which the server stores and later serves to visitors. Because the flaw is stored XSS and not remote code execution on the server, the attack requires the victim to view the compromised article and is therefore client‑side and user‑dependent.

Generated by OpenCVE AI on April 18, 2026 at 08:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Monitor emlog releases for a patch or consider upgrading to a newer major version once the vulnerability is fixed.
  • Implement server‑side validation or sanitization of image name inputs to strip or encode any HTML or script content before storage.
  • Restrict publishing privileges to trusted users and apply role‑based access control so that only authorized accounts can add images to articles.

Generated by OpenCVE AI on April 18, 2026 at 08:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 16 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:emlog:emlog:2.5.23:*:*:*:pro:*:*:*
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Tue, 06 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 05 Jan 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Emlog
Emlog emlog
Vendors & Products Emlog
Emlog emlog

Fri, 02 Jan 2026 19:00:00 +0000

Type Values Removed Values Added
Description Emlog is an open source website building system. Version 2.5.23 has a stored cross-site scripting vulnerability in the `Resource media library ` function while publishing an article. As of time of publication, no known patched versions are available.
Title Emlog vulnerable to stored Cross-site Scripting via image name
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P'}

Subscriptions

Emlog Emlog
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-05T20:38:04.182Z

Reserved: 2025-12-29T03:00:29.275Z

Link: CVE-2026-21431

cve-icon Vulnrichment

Updated: 2026-01-05T20:30:24.613Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-02T19:15:47.857

Modified: 2026-01-16T17:13:01.813

Link: CVE-2026-21431

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T08:45:41Z

Weaknesses