CVE-2026-34788 - Vulnerability Details

- Emlog: SQL Injection in tag_model::updateTagName() via unsanitized parameters

Description

Emlog is an open source website building system. In versions 2.6.2 and prior, a SQL injection vulnerability exists in include/model/tag_model.php at line 168. The updateTagName() function directly interpolates user input into the SQL query string without using parameterized queries or proper escaping ($this->db->escape_string()), making it vulnerable to SQL injection attacks. At time of publication, there are no publicly available patches.

Published: 2026-04-03

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability lies in the tag_model::updateTagName() function in Emlog's core. Unsanitized user input is concatenated into an SQL statement, allowing an attacker to inject arbitrary SQL. This flaw can lead to unauthorized data extraction, modification, or deletion within the database, giving an attacker control over the application data. The weakness aligns with CWE‑89, classification: SQL injection.

Affected Systems

The affected product is the open‑source website builder Emlog. Versions 2.6.2 and earlier contain the flaw in the file include/model/tag_model.php at line 168. No remedial patch is currently available from the vendor at publication, so users must rely on code changes or platform upgrades to mitigate the risk.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1 % suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through any interface that triggers updateTagName, which normally requires administrative access. Based on the description, it is inferred that an attacker must be authenticated as a user with tag‑editing privileges to supply a malicious tag name; however, if the endpoint is exposed to unauthenticated users, the risk increases. Exploiting the flaw would allow manipulation of database contents and potentially compromise the confidentiality, integrity, and availability of the website.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

emlog

affected

Version	Status	Constraints
`<= 2.6.2`	affected	—

Configuration 1 [-]

cpe:2.3:a:emlog:emlog:*:*:*:*:pro:*:*:*

No data.

Vendor Product Confidence Versions

Emlog

100%

Version	Status	Scheme	Platform
`[0,2.6.2]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply any official patch or upgrade to a newer Emlog release when available
Replace the vulnerable string concatenation with parameterized queries or proper escaping using $this->db->escape_string() in tag_model.php
Restrict access to the tag editing functionality to trusted administrators only and disable it for other users
Monitor database logs for anomalous SQL activity or unauthorized changes
Verify that the updateTagName endpoint is not publicly accessible and that authentication mechanisms are correctly enforced

Generated by OpenCVE AI on April 13, 2026 at 19:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00028.

Exploitation poc

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/emlog/emlog/security/advisories/GHSA-32mg-33qq-p3gf

History

Mon, 13 Apr 2026 17:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:emlog:emlog:::::pro:::*

Tue, 07 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Emlog Emlog emlog
Vendors & Products		Emlog Emlog emlog

Mon, 06 Apr 2026 20:00:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 03 Apr 2026 22:45:00 +0000

Type	Values Removed	Values Added
Description		Emlog is an open source website building system. In versions 2.6.2 and prior, a SQL injection vulnerability exists in include/model/tag_model.php at line 168. The updateTagName() function directly interpolates user input into the SQL query string without using parameterized queries or proper escaping ($this->db->escape_string()), making it vulnerable to SQL injection attacks. At time of publication, there are no publicly available patches.
Title		Emlog: SQL Injection in tag_model::updateTagName() via unsanitized parameters
Weaknesses		CWE-89
References		https://github.com/emlog/emlog/security/advisories/GHSA-32mg-33qq-p3gf
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N'}`

Subscriptions

Emlog Emlog

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-03T22:37:08.658Z

Updated: 2026-04-06T19:03:54.134Z

Reserved: 2026-03-30T19:54:55.556Z

Link: CVE-2026-34788

Vulnrichment

Updated: 2026-04-06T19:03:49.760Z

NVD

Status : Analyzed

Published: 2026-04-03T23:17:05.063

Modified: 2026-04-13T17:29:51.857

Link: CVE-2026-34788

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-14T16:41:34Z

Weaknesses

CWE-89

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation poc

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object