Description
Emlog is an open source website building system. Prior to version 2.6.8, there is a stored cross-site scripting (XSS) vulnerability in emlog comment module via URI scheme validation bypass. This issue has been patched in version 2.6.8.
Published: 2026-04-03
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (XSS)
Action: Patch Update
AI Analysis

Impact

Stored cross‑site scripting (XSS) exists in the comment module of emlog due to a bypass in URI scheme validation. This flaw allows a malicious actor to embed JavaScript payloads in comments that are subsequently rendered in other users' browsers. The impact includes cookie theft, session hijacking, defacement of the site, or redirection to malicious sites, thereby compromising confidentiality, integrity, and availability of the affected web application. The weakness corresponds to CWE‑79, which denotes an unsafe handling of untrusted input in web contexts.

Affected Systems

emlog version 2.6.8 or higher addresses the issue. All installations using emlog prior to 2.6.8, including the "pro" edition, are affected. The vulnerability was identified in the open‑source website building system known as emlog, and the affected CPE suggests the product is under the namespace cpe:2.3:a:emlog:emlog:. Users should verify their installed version against the upstream release notes.

Risk and Exploitability

With a CVSS score of 6.1, the flaw poses a moderate threat level. The EPSS score below 1% indicates a low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Exploitation would typically involve submitting a comment containing malicious JavaScript, either through authenticated user input or through an unauthenticated commenting interface if the site does not enforce proper access controls. Attackers would then rely on victim browsers to execute the script, giving them the surface described above.

Generated by OpenCVE AI on April 13, 2026 at 18:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade emlog to version 2.6.8 or later
  • If upgrade is not immediately possible, disable or moderate the comment feature to prevent unauthenticated submissions
  • Validate or sanitize all comment input to remove dangerous URI schemes
  • Monitor web traffic for unexpected script execution or defacement

Generated by OpenCVE AI on April 13, 2026 at 18:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:emlog:emlog:*:*:*:*:pro:*:*:*

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Emlog
Emlog emlog
Vendors & Products Emlog
Emlog emlog

Mon, 06 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
Description Emlog is an open source website building system. Prior to version 2.6.8, there is a stored cross-site scripting (XSS) vulnerability in emlog comment module via URI scheme validation bypass. This issue has been patched in version 2.6.8.
Title Emlog: Stored XSS in Comment Module via URI Scheme Validation Bypass
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Emlog Emlog
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-06T19:02:14.476Z

Reserved: 2026-03-26T16:22:29.034Z

Link: CVE-2026-34229

cve-icon Vulnrichment

Updated: 2026-04-06T19:02:10.523Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-03T23:17:04.270

Modified: 2026-04-13T17:37:40.193

Link: CVE-2026-34229

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:41:37Z

Weaknesses