Description
Emlog is an open source website building system. Version 2.5.23 has a stored cross-site scripting vulnerability that can lead to account takeover, including takeover of admin accounts. As of time of publication, no known patched versions are available.
Published: 2026-01-02
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS leading to account takeover, including admin accounts
Action: Assess Impact
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw that allows an attacker to inject malicious script into content that is subsequently rendered in other users’ browsers. Because the script executes with the privileges of the victim’s session, an attacker can hijack user accounts, including administrative accounts. This is classified as CWE-79.

Affected Systems

The affected product is Emlog version 2.5.23. No patched version is available at the time of publication, and the vulnerability is specific to that release.

Risk and Exploitability

The CVSS score of 6.8 indicates a moderate severity vulnerability. The EPSS score of less than 1% suggests a very low likelihood that the vulnerability is actively exploited. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector requires an attacker to be able to write or edit content that will be stored and displayed to other users. Once the content is rendered in another user’s browser, the stored script can be executed, giving the attacker control of that user’s session. The lack of an immediate patch means the risk persists until a fix or adequate workaround is deployed.

Generated by OpenCVE AI on April 18, 2026 at 19:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Block or strip unfiltered HTML input from users until a patch is available
  • Apply a strict Content Security Policy that limits script execution to trusted sources
  • Monitor user accounts for signs of unauthorized session hijacking and seek vendor updates as soon as a fix is released

Generated by OpenCVE AI on April 18, 2026 at 19:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 16 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:emlog:emlog:2.5.23:*:*:*:pro:*:*:*
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Tue, 06 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 05 Jan 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Emlog
Emlog emlog
Vendors & Products Emlog
Emlog emlog

Fri, 02 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Description Emlog is an open source website building system. Version 2.5.23 has a stored cross-site scripting vulnerability that can lead to account takeover, including takeover of admin accounts. As of time of publication, no known patched versions are available.
Title Emlog has stored Cross-site Scripting issue that can lead to admin or another account ATO
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 6.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:P'}

Subscriptions

Emlog Emlog
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-05T20:37:57.632Z

Reserved: 2025-12-29T03:00:29.275Z

Link: CVE-2026-21432

cve-icon Vulnrichment

Updated: 2026-01-05T20:30:23.135Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-02T19:15:48.020

Modified: 2026-01-16T17:13:09.323

Link: CVE-2026-21432

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T19:30:08Z

Weaknesses