Description
Emlog is an open source website building system. Prior to version 2.6.11, direct SQL injection in article creation and update functions allows attackers to execute arbitrary SQL commands, potentially leading to complete database compromise, data theft, or system destruction. This issue has been patched in version 2.6.11.
Published: 2026-05-08
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A direct SQL injection flaw exists in Emlog’s article creation and update functions, allowing an attacker to execute arbitrary SQL commands. The effect can be a full compromise of the database, leading to data theft, permanent data loss, or destructive changes to the system. The weakness is a classic input validation bypass, corresponding to CWE‑89.

Affected Systems

The vulnerability affects the Emlog web‑building system, specifically any deployment of the emlog:emlog product running a version older than 2.6.11. Users running those releases are at risk if they use the article creation or update interfaces.

Risk and Exploitability

The CVSS score of 10 indicates a critical severity. The EPSS score was not disclosed in the CVE data, so it is unknown at this time; this is inferred from the 'not available' noted in the source. Because the vulnerable functions are exposed through the public web interface and do not require elevated privileges, the potential for exploitation is high. The likely attack vector is the article creation or update form, sending malicious SQL payloads that bypass unvalidated input handling; this is inferred since the CVE description does not explicitly specify the vector. The flaw is not listed in CISA KEV, but its remote nature means that unauthenticated or low‑privilege users could inject commands simply by submitting content.

Generated by OpenCVE AI on May 9, 2026 at 00:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade emlog to version 2.6.11 or later.
  • Implement input validation to sanitize article content before database insertion.
  • Restrict article creation and update functionality to authorized users only.

Generated by OpenCVE AI on May 9, 2026 at 00:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Emlog
Emlog emlog
Vendors & Products Emlog
Emlog emlog

Fri, 08 May 2026 22:00:00 +0000

Type Values Removed Values Added
Description Emlog is an open source website building system. Prior to version 2.6.11, direct SQL injection in article creation and update functions allows attackers to execute arbitrary SQL commands, potentially leading to complete database compromise, data theft, or system destruction. This issue has been patched in version 2.6.11.
Title Emlog: SQL Injection Vulnerability in log_model.php within addLog() and updateLog() Functions
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Emlog Emlog
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T21:51:52.652Z

Reserved: 2026-04-26T12:13:55.551Z

Link: CVE-2026-42287

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T22:16:33.057

Modified: 2026-05-08T22:16:33.057

Link: CVE-2026-42287

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T00:30:21Z

Weaknesses