Description
Emlog is an open source website building system. Versions up to and including 2.5.19 are vulnerable to server-side Out-of-Band (OOB) requests / SSRF via uploaded SVG files. An attacker can upload a crafted SVG to http[:]//emblog/admin/media[.]php which contains external resource references. When the server processes/renders the SVG (thumbnailing, preview, or sanitization), it issues an HTTP request to the attacker-controlled host. Impact: server-side SSRF/OOB leading to internal network probing and potential metadata/credential exposure. As of time of publication, no known patched versions are available.
Published: 2026-01-02
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery (SSRF) leading to internal network probing and credential exposure
Action: Assess Impact
AI Analysis

Impact

Emlog, an open‑source website builder, is susceptible to Server‑Side Request Forgery via uploaded SVG files. A crafted SVG containing external resource references can be uploaded to the admin/media.php endpoint. When the server processes, thumbnails the preview, or sanitizes the file, it automatically requests the external resource, enabling the attacker to force the server to perform HTTP requests to arbitrary hosts. This flaw, classified as CWE‑918, can allow an attacker to probe internal network resources and potentially glean sensitive data or credentials from exposed metadata. The vulnerability exists in all releases up to and including version 2.5.19.

Affected Systems

The affected product is Emlog by Emlog, with all released versions up to and including 2.5.19. No patched versions are reported in the advisory, and the vulnerability remains present in these releases.

Risk and Exploitability

The CVSS v3.1 score of 7.7 indicates a high severity for remote exploitation, while the EPSS score of less than 1% suggests that active exploitation is presently rare. The vulnerability is not listed in the CISA KEV catalog, but an attacker who can upload an SVG file to the admin/media.php endpoint can trigger the SSRF. Successful exploitation would allow internal network reconnaissance and may expose internal metadata or credentials. Given the lack of an available patch, the risk to organizations running affected Emlog installations remains significant, especially if the upload functionality is exposed to untrusted users.

Generated by OpenCVE AI on April 18, 2026 at 08:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Disable or block the upload and rendering of SVG files to prevent external resource references from being processed.
  • Implement strict SVG sanitization that removes or rejects any external resource references before thumbnailing or previewing.
  • Apply network segmentation or firewall rules to restrict the Emlog application from making outbound HTTP requests to internal IP ranges, mitigating the impact of any SSRF attempts.

Generated by OpenCVE AI on April 18, 2026 at 08:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 16 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:emlog:emlog:*:*:*:*:pro:*:*:*

Tue, 06 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 05 Jan 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Emlog
Emlog emlog
Vendors & Products Emlog
Emlog emlog

Fri, 02 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Description Emlog is an open source website building system. Versions up to and including 2.5.19 are vulnerable to server-side Out-of-Band (OOB) requests / SSRF via uploaded SVG files. An attacker can upload a crafted SVG to http[:]//emblog/admin/media[.]php which contains external resource references. When the server processes/renders the SVG (thumbnailing, preview, or sanitization), it issues an HTTP request to the attacker-controlled host. Impact: server-side SSRF/OOB leading to internal network probing and potential metadata/credential exposure. As of time of publication, no known patched versions are available.
Title Emlog vulnerable to Server-Side Request Forgery (SSRF)
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Emlog Emlog
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-05T20:37:52.330Z

Reserved: 2025-12-29T03:00:29.275Z

Link: CVE-2026-21433

cve-icon Vulnrichment

Updated: 2026-01-05T20:30:21.806Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-02T19:15:48.187

Modified: 2026-01-16T18:11:24.493

Link: CVE-2026-21433

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T08:45:41Z

Weaknesses