Emlog
by Emlog
Source repositories
CVEs (86)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-42287 | Cri | 0.65 | — | 0.00 | May 8, 2026 | Emlog is an open source website building system. Prior to version 2.6.11, direct SQL injection in article creation and update functions allows attackers to execute arbitrary SQL commands, potentially leading to complete database compromise, data theft, or system destruction.… | ||
| CVE-2026-42286 | Hig | 0.55 | — | 0.00 | May 8, 2026 | Emlog is an open source website building system. Prior to version 2.6.11, missing CSRF protection in critical admin functions allows attackers to trick authenticated administrators into performing unauthorized actions like system registration, plugin management, and… | ||
| CVE-2026-39276 | Hig | 0.47 | 7.2 | 0.01 | May 29, 2026 | The template upload feature in Emlog Pro v2.6.9 has a path traversal vulnerability, allowing authenticated administrators to execute arbitrary PHP code. By uploading a malicious ZIP archive containing directory traversal sequences in filenames, an attacker can overwrite default… | ||
| CVE-2026-34607 | Hig | 0.47 | 7.2 | 0.01 | Apr 3, 2026 | Emlog is an open source website building system. In versions 2.6.2 and prior, a path traversal vulnerability exists in the emUnZip() function (include/lib/common.php:793). When extracting ZIP archives (plugin/template uploads, backup imports), the function calls… | ||
| CVE-2026-34788 | Med | 0.42 | 6.5 | 0.00 | Apr 3, 2026 | Emlog is an open source website building system. In versions 2.6.2 and prior, a SQL injection vulnerability exists in include/model/tag_model.php at line 168. The updateTagName() function directly interpolates user input into the SQL query string without using parameterized… | ||
| CVE-2026-34787 | Med | 0.42 | 6.5 | 0.01 | Apr 3, 2026 | Emlog is an open source website building system. In versions 2.6.2 and prior, a Local File Inclusion (LFI) vulnerability exists in admin/plugin.php at line 80. The $plugin parameter from the GET request is directly used in a require_once path without proper sanitization. If the… | ||
| CVE-2026-34228 | Med | 0.35 | 6.5 | 0.00 | Apr 3, 2026 | Emlog is an open source website building system. Prior to version 2.6.8, the backend upgrade interface accepts remote SQL and ZIP URLs via GET parameters. The server first downloads and executes the SQL file, then downloads the ZIP file and extracts it directly into the web root… | ||
| CVE-2026-34229 | Med | 0.33 | 6.1 | 0.00 | Apr 3, 2026 | Emlog is an open source website building system. Prior to version 2.6.8, there is a stored cross-site scripting (XSS) vulnerability in emlog comment module via URI scheme validation bypass. This issue has been patched in version 2.6.8. | ||
| CVE-2025-9296 | Med | 0.31 | 4.7 | 0.00 | Aug 21, 2025 | A security vulnerability has been detected in Emlog Pro up to 2.5.18. This affects an unknown function of the file /admin/blogger.php?action=update_avatar. Such manipulation of the argument image leads to unrestricted upload. It is possible to launch the attack remotely. The… | ||
| CVE-2026-21429 | Med | 0.28 | 4.3 | 0.00 | Jan 2, 2026 | Emlog is an open source website building system. In version 2.5.23, the admin can set controls which makes users unable to edit or delete their articles after publishing them. As of time of publication, no known patched versions are available. | ||
| CVE-2025-5886 | Low | 0.23 | 3.5 | 0.00 | Jun 9, 2025 | A vulnerability was found in Emlog up to 2.5.7 and classified as problematic. This issue affects some unknown processing of the file /admin/article.php. The manipulation of the argument active_post leads to cross site scripting. The attack may be initiated remotely. The exploit… | ||
| CVE-2024-33752 | 0.07 | — | 0.05 | May 6, 2024 | An arbitrary file upload vulnerability exists in emlog pro 2.3.0 and pro 2.3.2 at admin/views/plugin.php that could be exploited by a remote attacker to submit a special request to upload a malicious file to execute arbitrary code. | |||
| CVE-2021-3293 | 0.05 | — | 0.17 | Feb 8, 2021 | emlog v5.3.1 has full path disclosure vulnerability in t/index.php, which allows an attacker to see the path to the webroot/file. | |||
| CVE-2021-31737 | 0.02 | — | 0.04 | May 6, 2021 | emlog v5.3.1 and emlog v6.0.0 have a Remote Code Execution vulnerability due to upload of database backup file in admin/data.php. | |||
| CVE-2023-41621 | 0.01 | — | 0.01 | Dec 13, 2023 | A Cross Site Scripting (XSS) vulnerability was discovered in Emlog Pro v2.1.14 via the component /admin/store.php. | |||
| CVE-2023-43291 | 0.01 | — | 0.02 | Sep 26, 2023 | Deserialization of Untrusted Data in emlog pro v.2.1.15 and earlier allows a remote attacker to execute arbitrary code via the cache.php component. | |||
| CVE-2021-40883 | 0.01 | — | 0.03 | Dec 14, 2021 | A Remote Code Execution (RCE) vulnerability exists in emlog 5.3.1 via content/plugins. | |||
| CVE-2020-21585 | 0.01 | — | 0.03 | Apr 2, 2021 | Vulnerability in emlog v6.0.0 allows user to upload webshells via zip plugin module. | |||
| CVE-2026-41517 | Non | 0.00 | — | 0.00 | May 8, 2026 | Emlog is an open source website building system. Prior to version 2.6.11, insecure plugin upload functionality allows attackers to upload and execute arbitrary PHP code, leading to complete server compromise and persistent backdoor installation. This issue has been patched in… | ||
| CVE-2026-31954 | 0.00 | — | 0.00 | Mar 11, 2026 | Emlog is an open source website building system. In 2.6.6 and earlier, the delete_async action (asynchronous delete) lacks a call to LoginAuth::checkToken(), enabling CSRF attacks. |
- risk 0.65cvss —epss 0.00
Emlog is an open source website building system. Prior to version 2.6.11, direct SQL injection in article creation and update functions allows attackers to execute arbitrary SQL commands, potentially leading to complete database compromise, data theft, or system destruction.…
- risk 0.55cvss —epss 0.00
Emlog is an open source website building system. Prior to version 2.6.11, missing CSRF protection in critical admin functions allows attackers to trick authenticated administrators into performing unauthorized actions like system registration, plugin management, and…
- risk 0.47cvss 7.2epss 0.01
The template upload feature in Emlog Pro v2.6.9 has a path traversal vulnerability, allowing authenticated administrators to execute arbitrary PHP code. By uploading a malicious ZIP archive containing directory traversal sequences in filenames, an attacker can overwrite default…
- risk 0.47cvss 7.2epss 0.01
Emlog is an open source website building system. In versions 2.6.2 and prior, a path traversal vulnerability exists in the emUnZip() function (include/lib/common.php:793). When extracting ZIP archives (plugin/template uploads, backup imports), the function calls…
- risk 0.42cvss 6.5epss 0.00
Emlog is an open source website building system. In versions 2.6.2 and prior, a SQL injection vulnerability exists in include/model/tag_model.php at line 168. The updateTagName() function directly interpolates user input into the SQL query string without using parameterized…
- risk 0.42cvss 6.5epss 0.01
Emlog is an open source website building system. In versions 2.6.2 and prior, a Local File Inclusion (LFI) vulnerability exists in admin/plugin.php at line 80. The $plugin parameter from the GET request is directly used in a require_once path without proper sanitization. If the…
- risk 0.35cvss 6.5epss 0.00
Emlog is an open source website building system. Prior to version 2.6.8, the backend upgrade interface accepts remote SQL and ZIP URLs via GET parameters. The server first downloads and executes the SQL file, then downloads the ZIP file and extracts it directly into the web root…
- risk 0.33cvss 6.1epss 0.00
Emlog is an open source website building system. Prior to version 2.6.8, there is a stored cross-site scripting (XSS) vulnerability in emlog comment module via URI scheme validation bypass. This issue has been patched in version 2.6.8.
- risk 0.31cvss 4.7epss 0.00
A security vulnerability has been detected in Emlog Pro up to 2.5.18. This affects an unknown function of the file /admin/blogger.php?action=update_avatar. Such manipulation of the argument image leads to unrestricted upload. It is possible to launch the attack remotely. The…
- risk 0.28cvss 4.3epss 0.00
Emlog is an open source website building system. In version 2.5.23, the admin can set controls which makes users unable to edit or delete their articles after publishing them. As of time of publication, no known patched versions are available.
- risk 0.23cvss 3.5epss 0.00
A vulnerability was found in Emlog up to 2.5.7 and classified as problematic. This issue affects some unknown processing of the file /admin/article.php. The manipulation of the argument active_post leads to cross site scripting. The attack may be initiated remotely. The exploit…
- CVE-2024-33752May 6, 2024risk 0.07cvss —epss 0.05
An arbitrary file upload vulnerability exists in emlog pro 2.3.0 and pro 2.3.2 at admin/views/plugin.php that could be exploited by a remote attacker to submit a special request to upload a malicious file to execute arbitrary code.
- CVE-2021-3293Feb 8, 2021risk 0.05cvss —epss 0.17
emlog v5.3.1 has full path disclosure vulnerability in t/index.php, which allows an attacker to see the path to the webroot/file.
- CVE-2021-31737May 6, 2021risk 0.02cvss —epss 0.04
emlog v5.3.1 and emlog v6.0.0 have a Remote Code Execution vulnerability due to upload of database backup file in admin/data.php.
- CVE-2023-41621Dec 13, 2023risk 0.01cvss —epss 0.01
A Cross Site Scripting (XSS) vulnerability was discovered in Emlog Pro v2.1.14 via the component /admin/store.php.
- CVE-2023-43291Sep 26, 2023risk 0.01cvss —epss 0.02
Deserialization of Untrusted Data in emlog pro v.2.1.15 and earlier allows a remote attacker to execute arbitrary code via the cache.php component.
- CVE-2021-40883Dec 14, 2021risk 0.01cvss —epss 0.03
A Remote Code Execution (RCE) vulnerability exists in emlog 5.3.1 via content/plugins.
- CVE-2020-21585Apr 2, 2021risk 0.01cvss —epss 0.03
Vulnerability in emlog v6.0.0 allows user to upload webshells via zip plugin module.
- risk 0.00cvss —epss 0.00
Emlog is an open source website building system. Prior to version 2.6.11, insecure plugin upload functionality allows attackers to upload and execute arbitrary PHP code, leading to complete server compromise and persistent backdoor installation. This issue has been patched in…
- CVE-2026-31954Mar 11, 2026risk 0.00cvss —epss 0.00
Emlog is an open source website building system. In 2.6.6 and earlier, the delete_async action (asynchronous delete) lacks a call to LoginAuth::checkToken(), enabling CSRF attacks.
Page 1 of 5