Vendor CVEs
Emlog
All CVEs
86 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-42287 | Cri | 0.65 | — | 0.00 | May 8, 2026 | Emlog is an open source website building system. Prior to version 2.6.11, direct SQL injection in article creation and update functions allows attackers to execute arbitrary SQL commands, potentially leading to complete database compromise, data theft, or system destruction.… | ||
| CVE-2026-42286 | Hig | 0.55 | — | 0.00 | May 8, 2026 | Emlog is an open source website building system. Prior to version 2.6.11, missing CSRF protection in critical admin functions allows attackers to trick authenticated administrators into performing unauthorized actions like system registration, plugin management, and… | ||
| CVE-2026-39276 | Hig | 0.47 | 7.2 | 0.01 | May 29, 2026 | The template upload feature in Emlog Pro v2.6.9 has a path traversal vulnerability, allowing authenticated administrators to execute arbitrary PHP code. By uploading a malicious ZIP archive containing directory traversal sequences in filenames, an attacker can overwrite default… | ||
| CVE-2026-34607 | Hig | 0.47 | 7.2 | 0.01 | Apr 3, 2026 | Emlog is an open source website building system. In versions 2.6.2 and prior, a path traversal vulnerability exists in the emUnZip() function (include/lib/common.php:793). When extracting ZIP archives (plugin/template uploads, backup imports), the function calls… | ||
| CVE-2026-34788 | Med | 0.42 | 6.5 | 0.00 | Apr 3, 2026 | Emlog is an open source website building system. In versions 2.6.2 and prior, a SQL injection vulnerability exists in include/model/tag_model.php at line 168. The updateTagName() function directly interpolates user input into the SQL query string without using parameterized… | ||
| CVE-2026-34787 | Med | 0.42 | 6.5 | 0.01 | Apr 3, 2026 | Emlog is an open source website building system. In versions 2.6.2 and prior, a Local File Inclusion (LFI) vulnerability exists in admin/plugin.php at line 80. The $plugin parameter from the GET request is directly used in a require_once path without proper sanitization. If the… | ||
| CVE-2026-34228 | Med | 0.35 | 6.5 | 0.00 | Apr 3, 2026 | Emlog is an open source website building system. Prior to version 2.6.8, the backend upgrade interface accepts remote SQL and ZIP URLs via GET parameters. The server first downloads and executes the SQL file, then downloads the ZIP file and extracts it directly into the web root… | ||
| CVE-2026-34229 | Med | 0.33 | 6.1 | 0.00 | Apr 3, 2026 | Emlog is an open source website building system. Prior to version 2.6.8, there is a stored cross-site scripting (XSS) vulnerability in emlog comment module via URI scheme validation bypass. This issue has been patched in version 2.6.8. | ||
| CVE-2025-9296 | Med | 0.31 | 4.7 | 0.00 | Aug 21, 2025 | A security vulnerability has been detected in Emlog Pro up to 2.5.18. This affects an unknown function of the file /admin/blogger.php?action=update_avatar. Such manipulation of the argument image leads to unrestricted upload. It is possible to launch the attack remotely. The… | ||
| CVE-2026-21429 | Med | 0.28 | 4.3 | 0.00 | Jan 2, 2026 | Emlog is an open source website building system. In version 2.5.23, the admin can set controls which makes users unable to edit or delete their articles after publishing them. As of time of publication, no known patched versions are available. | ||
| CVE-2025-5886 | Low | 0.23 | 3.5 | 0.00 | Jun 9, 2025 | A vulnerability was found in Emlog up to 2.5.7 and classified as problematic. This issue affects some unknown processing of the file /admin/article.php. The manipulation of the argument active_post leads to cross site scripting. The attack may be initiated remotely. The exploit… | ||
| CVE-2024-33752 | 0.07 | — | 0.05 | May 6, 2024 | An arbitrary file upload vulnerability exists in emlog pro 2.3.0 and pro 2.3.2 at admin/views/plugin.php that could be exploited by a remote attacker to submit a special request to upload a malicious file to execute arbitrary code. | |||
| CVE-2021-3293 | 0.05 | — | 0.17 | Feb 8, 2021 | emlog v5.3.1 has full path disclosure vulnerability in t/index.php, which allows an attacker to see the path to the webroot/file. | |||
| CVE-2021-31737 | 0.02 | — | 0.04 | May 6, 2021 | emlog v5.3.1 and emlog v6.0.0 have a Remote Code Execution vulnerability due to upload of database backup file in admin/data.php. | |||
| CVE-2023-41621 | 0.01 | — | 0.01 | Dec 13, 2023 | A Cross Site Scripting (XSS) vulnerability was discovered in Emlog Pro v2.1.14 via the component /admin/store.php. | |||
| CVE-2023-43291 | 0.01 | — | 0.02 | Sep 26, 2023 | Deserialization of Untrusted Data in emlog pro v.2.1.15 and earlier allows a remote attacker to execute arbitrary code via the cache.php component. | |||
| CVE-2021-40883 | 0.01 | — | 0.03 | Dec 14, 2021 | A Remote Code Execution (RCE) vulnerability exists in emlog 5.3.1 via content/plugins. | |||
| CVE-2020-21585 | 0.01 | — | 0.03 | Apr 2, 2021 | Vulnerability in emlog v6.0.0 allows user to upload webshells via zip plugin module. | |||
| CVE-2026-41517 | Non | 0.00 | — | 0.00 | May 8, 2026 | Emlog is an open source website building system. Prior to version 2.6.11, insecure plugin upload functionality allows attackers to upload and execute arbitrary PHP code, leading to complete server compromise and persistent backdoor installation. This issue has been patched in… | ||
| CVE-2026-31954 | 0.00 | — | 0.00 | Mar 11, 2026 | Emlog is an open source website building system. In 2.6.6 and earlier, the delete_async action (asynchronous delete) lacks a call to LoginAuth::checkToken(), enabling CSRF attacks. | |||
| CVE-2026-22799 | 0.00 | — | 0.01 | Jan 12, 2026 | Emlog is an open source website building system. emlog v2.6.1 and earlier exposes a REST API endpoint (/index.php?rest-api=upload) for media file uploads. The endpoint fails to implement proper validation of file types, extensions, and content, allowing authenticated attackers… | |||
| CVE-2026-21433 | 0.00 | — | 0.00 | Jan 2, 2026 | Emlog is an open source website building system. Versions up to and including 2.5.19 are vulnerable to server-side Out-of-Band (OOB) requests / SSRF via uploaded SVG files. An attacker can upload a crafted SVG to http[:]//emblog/admin/media[.]php which contains external resource… | |||
| CVE-2026-21432 | 0.00 | — | 0.00 | Jan 2, 2026 | Emlog is an open source website building system. Version 2.5.23 has a stored cross-site scripting vulnerability that can lead to account takeover, including takeover of admin accounts. As of time of publication, no known patched versions are available. | |||
| CVE-2026-21431 | 0.00 | — | 0.00 | Jan 2, 2026 | Emlog is an open source website building system. Version 2.5.23 has a stored cross-site scripting vulnerability in the `Resource media library ` function while publishing an article. As of time of publication, no known patched versions are available. | |||
| CVE-2026-21430 | 0.00 | — | 0.00 | Jan 2, 2026 | Emlog is an open source website building system. In version 2.5.23, article creation functionality is vulnerable to cross-site request forgery (CSRF). This can lead to a user being forced to post an article with arbitrary, attacker-controlled content. This, when combined with… | |||
| CVE-2025-61318 | 0.00 | — | 0.01 | Dec 8, 2025 | Emlog Pro 2.5.20 has an arbitrary file deletion vulnerability. This vulnerability stems from the admin/template.php component and the admin/plugin.php component. They fail to perform path verification and dangerous code filtering for deletion parameters, allowing attackers to… | |||
| CVE-2025-62717 | 0.00 | — | 0.00 | Oct 24, 2025 | Emlog is an open source website building system. In version 2.5.23, Emlog Pro is vulnerable to a session verification code error due to a clearing logic error. This means the verification code could be reused anywhere an email verification code is required. This issue has been… | |||
| CVE-2025-61930 | 0.00 | — | 0.00 | Oct 10, 2025 | Emlog is an open source website building system. Emlog Pro versions 2.5.19 and earlier are vulnerable to Cross‑Site Request Forgery (CSRF) on the password change endpoint. An attacker can trick a logged‑in administrator into submitting a crafted POST request to change the… | |||
| CVE-2025-61769 | 0.00 | — | 0.00 | Oct 6, 2025 | Emlog is an open source website building system. A cross-site scripting (XSS) vulnerability in emlog up to and including version 2.5.22 allows authenticated remote attackers to inject arbitrary web script or HTML via the file upload functionality. As an authenticated user it is… | |||
| CVE-2025-61599 | 0.00 | — | 0.00 | Oct 3, 2025 | Emlog is an open source website building system. A stored Cross-Site Scripting (XSS) vulnerability exists in the "Twitter"feature of EMLOG Pro 2.5.21 and below. An authenticated user with privileges to post a "Twitter" message can inject arbitrary JavaScript code. The malicious… | |||
| CVE-2025-61597 | 0.00 | — | 0.00 | Oct 3, 2025 | Emlog is an open source website building system. In versions 2.5.21 and below, an HTML template injection allows stored cross‑site scripting (XSS) via the mail template settings. Once a malicious payload is saved, any subsequent visit to the settings page in an authenticated… | |||
| CVE-2025-60448 | 0.00 | — | 0.00 | Oct 3, 2025 | A stored Cross-Site Scripting (XSS) vulnerability has been discovered in Emlog Pro 2.5.19. The vulnerability exists due to insufficient validation of SVG file uploads in the /admin/media.php component, allowing attackers to upload malicious SVG files containing JavaScript code… | |||
| CVE-2025-44139 | 0.00 | — | 0.01 | Aug 1, 2025 | Emlog Pro V2.5.7 is vulnerable to Unrestricted Upload of File with Dangerous Type via /emlog/admin/plugin.php?action=upload_zip | |||
| CVE-2025-53926 | 0.00 | — | 0.00 | Jul 16, 2025 | Emlog is an open source website building system. A cross-site scripting (XSS) vulnerability in emlog up to and including pro-2.5.17 allows remote attackers to inject arbitrary web script or HTML via the comment and comname parameters. Reflected XSS requires the victim to send… | |||
| CVE-2025-53925 | 0.00 | — | 0.00 | Jul 16, 2025 | Emlog is an open source website building system. A cross-site scripting (XSS) vulnerability in emlog up to and including pro-2.5.17 allows authenticated remote attackers to inject arbitrary web script or HTML via the file upload functionality. As an authenticated user it is… | |||
| CVE-2025-53924 | 0.00 | — | 0.00 | Jul 16, 2025 | Emlog is an open source website building system. A cross-site scripting (XSS) vulnerability in emlog up to and including pro-2.5.17 allows authenticated remote attackers to inject arbitrary web script or HTML via the siteurl parameter. It is possible to inject malicious code… | |||
| CVE-2025-53923 | 0.00 | — | 0.00 | Jul 16, 2025 | Emlog is an open source website building system. A cross-site scripting (XSS) vulnerability in emlog up to and including pro-2.5.17 allows remote attackers to inject arbitrary web script or HTML via the keyword parameter. Due to lack of sanitization it is possible to inject… | |||
| CVE-2025-47786 | 0.00 | — | 0.00 | May 15, 2025 | Emlog is an open source website building system. Version 2.5.13 has a stored cross-site scripting vulnerability that allows any registered user to construct malicious JavaScript, inducing all website users to click. In `/admin/comment.php`, the parameter `perpage_num` is not… | |||
| CVE-2025-47785 | 0.00 | — | 0.01 | May 15, 2025 | Emlog is an open source website building system. In versions up to and including 2.5.9, SQL injection occurs because the $origContent parameter in admin/article_save.php is not strictly filtered. Since admin/article_save.php can be accessed by ordinary registered users, this… | |||
| CVE-2025-47787 | 0.00 | — | 0.01 | May 15, 2025 | Emlog is an open source website building system. Emlog Pro prior to version 2.5.10 contains a file upload vulnerability. The store.php component contains a critical security flaw where it fails to properly validate the contents of remotely downloaded ZIP plugin files. This… | |||
| CVE-2025-47784 | 0.00 | — | 0.00 | May 15, 2025 | Emlog is an open source website building system. Versions 2.5.13 and prior have a deserialization vulnerability. A user who creates a carefully crafted nickname can cause `str_replace` to replace the value of `name_orig` with empty, causing deserialization to fail and return… | |||
| CVE-2025-30372 | 0.00 | — | 0.01 | Mar 28, 2025 | Emlog is an open source website building system. Emlog Pro versions pro-2.5.7 and pro-2.5.8 contain an SQL injection vulnerability. `search_controller.php` does not use addslashes after urldecode, allowing the preceeding addslashes to be bypassed by URL double encoding. This… | |||
| CVE-2025-29405 | 0.00 | — | 0.00 | Mar 19, 2025 | An arbitrary file upload vulnerability in the component /admin/template.php of emlog pro 2.5.0 and pro 2.5.* allows attackers to execute arbitrary code via uploading a crafted PHP file. | |||
| CVE-2025-29401 | 0.00 | — | 0.01 | Mar 19, 2025 | An arbitrary file upload vulnerability in the component /views/plugin.php of emlog pro v2.5.7 allows attackers to execute arbitrary code via uploading a crafted PHP file. | |||
| CVE-2025-25783 | 0.00 | — | 0.01 | Feb 26, 2025 | An arbitrary file upload vulnerability in the component admin\plugin.php of Emlog Pro v2.5.3 allows attackers to execute arbitrary code via uploading a crafted Zip file. | |||
| CVE-2025-25825 | 0.00 | — | 0.00 | Feb 26, 2025 | A cross-site scripting (XSS) vulnerability in Emlog Pro v2.5.4 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Titile in the article category section. | |||
| CVE-2025-25823 | 0.00 | — | 0.00 | Feb 26, 2025 | A cross-site scripting (XSS) vulnerability in Emlog Pro v2.5.4 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the article header at /admin/article.php. | |||
| CVE-2025-25818 | 0.00 | — | 0.00 | Feb 26, 2025 | A cross-site scripting (XSS) vulnerability in Emlog Pro v2.5.4 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the postStrVar function at article_save.php. | |||
| CVE-2024-13135 | 0.00 | — | 0.00 | Jan 5, 2025 | A vulnerability has been found in Emlog Pro 2.4.3 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /admin/twitter.php of the component Subpage Handler. The manipulation leads to cross site scripting. The attack can be launched… | |||
| CVE-2024-13132 | 0.00 | — | 0.00 | Jan 5, 2025 | A vulnerability classified as problematic was found in Emlog Pro up to 2.4.3. This vulnerability affects unknown code of the file /admin/article.php of the component Subpage Handler. The manipulation leads to cross site scripting. The attack can be initiated remotely. The… |
- risk 0.65cvss —epss 0.00
Emlog is an open source website building system. Prior to version 2.6.11, direct SQL injection in article creation and update functions allows attackers to execute arbitrary SQL commands, potentially leading to complete database compromise, data theft, or system destruction.…
- risk 0.55cvss —epss 0.00
Emlog is an open source website building system. Prior to version 2.6.11, missing CSRF protection in critical admin functions allows attackers to trick authenticated administrators into performing unauthorized actions like system registration, plugin management, and…
- risk 0.47cvss 7.2epss 0.01
The template upload feature in Emlog Pro v2.6.9 has a path traversal vulnerability, allowing authenticated administrators to execute arbitrary PHP code. By uploading a malicious ZIP archive containing directory traversal sequences in filenames, an attacker can overwrite default…
- risk 0.47cvss 7.2epss 0.01
Emlog is an open source website building system. In versions 2.6.2 and prior, a path traversal vulnerability exists in the emUnZip() function (include/lib/common.php:793). When extracting ZIP archives (plugin/template uploads, backup imports), the function calls…
- risk 0.42cvss 6.5epss 0.00
Emlog is an open source website building system. In versions 2.6.2 and prior, a SQL injection vulnerability exists in include/model/tag_model.php at line 168. The updateTagName() function directly interpolates user input into the SQL query string without using parameterized…
- risk 0.42cvss 6.5epss 0.01
Emlog is an open source website building system. In versions 2.6.2 and prior, a Local File Inclusion (LFI) vulnerability exists in admin/plugin.php at line 80. The $plugin parameter from the GET request is directly used in a require_once path without proper sanitization. If the…
- risk 0.35cvss 6.5epss 0.00
Emlog is an open source website building system. Prior to version 2.6.8, the backend upgrade interface accepts remote SQL and ZIP URLs via GET parameters. The server first downloads and executes the SQL file, then downloads the ZIP file and extracts it directly into the web root…
- risk 0.33cvss 6.1epss 0.00
Emlog is an open source website building system. Prior to version 2.6.8, there is a stored cross-site scripting (XSS) vulnerability in emlog comment module via URI scheme validation bypass. This issue has been patched in version 2.6.8.
- risk 0.31cvss 4.7epss 0.00
A security vulnerability has been detected in Emlog Pro up to 2.5.18. This affects an unknown function of the file /admin/blogger.php?action=update_avatar. Such manipulation of the argument image leads to unrestricted upload. It is possible to launch the attack remotely. The…
- risk 0.28cvss 4.3epss 0.00
Emlog is an open source website building system. In version 2.5.23, the admin can set controls which makes users unable to edit or delete their articles after publishing them. As of time of publication, no known patched versions are available.
- risk 0.23cvss 3.5epss 0.00
A vulnerability was found in Emlog up to 2.5.7 and classified as problematic. This issue affects some unknown processing of the file /admin/article.php. The manipulation of the argument active_post leads to cross site scripting. The attack may be initiated remotely. The exploit…
- CVE-2024-33752May 6, 2024risk 0.07cvss —epss 0.05
An arbitrary file upload vulnerability exists in emlog pro 2.3.0 and pro 2.3.2 at admin/views/plugin.php that could be exploited by a remote attacker to submit a special request to upload a malicious file to execute arbitrary code.
- CVE-2021-3293Feb 8, 2021risk 0.05cvss —epss 0.17
emlog v5.3.1 has full path disclosure vulnerability in t/index.php, which allows an attacker to see the path to the webroot/file.
- CVE-2021-31737May 6, 2021risk 0.02cvss —epss 0.04
emlog v5.3.1 and emlog v6.0.0 have a Remote Code Execution vulnerability due to upload of database backup file in admin/data.php.
- CVE-2023-41621Dec 13, 2023risk 0.01cvss —epss 0.01
A Cross Site Scripting (XSS) vulnerability was discovered in Emlog Pro v2.1.14 via the component /admin/store.php.
- CVE-2023-43291Sep 26, 2023risk 0.01cvss —epss 0.02
Deserialization of Untrusted Data in emlog pro v.2.1.15 and earlier allows a remote attacker to execute arbitrary code via the cache.php component.
- CVE-2021-40883Dec 14, 2021risk 0.01cvss —epss 0.03
A Remote Code Execution (RCE) vulnerability exists in emlog 5.3.1 via content/plugins.
- CVE-2020-21585Apr 2, 2021risk 0.01cvss —epss 0.03
Vulnerability in emlog v6.0.0 allows user to upload webshells via zip plugin module.
- risk 0.00cvss —epss 0.00
Emlog is an open source website building system. Prior to version 2.6.11, insecure plugin upload functionality allows attackers to upload and execute arbitrary PHP code, leading to complete server compromise and persistent backdoor installation. This issue has been patched in…
- CVE-2026-31954Mar 11, 2026risk 0.00cvss —epss 0.00
Emlog is an open source website building system. In 2.6.6 and earlier, the delete_async action (asynchronous delete) lacks a call to LoginAuth::checkToken(), enabling CSRF attacks.
- CVE-2026-22799Jan 12, 2026risk 0.00cvss —epss 0.01
Emlog is an open source website building system. emlog v2.6.1 and earlier exposes a REST API endpoint (/index.php?rest-api=upload) for media file uploads. The endpoint fails to implement proper validation of file types, extensions, and content, allowing authenticated attackers…
- CVE-2026-21433Jan 2, 2026risk 0.00cvss —epss 0.00
Emlog is an open source website building system. Versions up to and including 2.5.19 are vulnerable to server-side Out-of-Band (OOB) requests / SSRF via uploaded SVG files. An attacker can upload a crafted SVG to http[:]//emblog/admin/media[.]php which contains external resource…
- CVE-2026-21432Jan 2, 2026risk 0.00cvss —epss 0.00
Emlog is an open source website building system. Version 2.5.23 has a stored cross-site scripting vulnerability that can lead to account takeover, including takeover of admin accounts. As of time of publication, no known patched versions are available.
- CVE-2026-21431Jan 2, 2026risk 0.00cvss —epss 0.00
Emlog is an open source website building system. Version 2.5.23 has a stored cross-site scripting vulnerability in the `Resource media library ` function while publishing an article. As of time of publication, no known patched versions are available.
- CVE-2026-21430Jan 2, 2026risk 0.00cvss —epss 0.00
Emlog is an open source website building system. In version 2.5.23, article creation functionality is vulnerable to cross-site request forgery (CSRF). This can lead to a user being forced to post an article with arbitrary, attacker-controlled content. This, when combined with…
- CVE-2025-61318Dec 8, 2025risk 0.00cvss —epss 0.01
Emlog Pro 2.5.20 has an arbitrary file deletion vulnerability. This vulnerability stems from the admin/template.php component and the admin/plugin.php component. They fail to perform path verification and dangerous code filtering for deletion parameters, allowing attackers to…
- CVE-2025-62717Oct 24, 2025risk 0.00cvss —epss 0.00
Emlog is an open source website building system. In version 2.5.23, Emlog Pro is vulnerable to a session verification code error due to a clearing logic error. This means the verification code could be reused anywhere an email verification code is required. This issue has been…
- CVE-2025-61930Oct 10, 2025risk 0.00cvss —epss 0.00
Emlog is an open source website building system. Emlog Pro versions 2.5.19 and earlier are vulnerable to Cross‑Site Request Forgery (CSRF) on the password change endpoint. An attacker can trick a logged‑in administrator into submitting a crafted POST request to change the…
- CVE-2025-61769Oct 6, 2025risk 0.00cvss —epss 0.00
Emlog is an open source website building system. A cross-site scripting (XSS) vulnerability in emlog up to and including version 2.5.22 allows authenticated remote attackers to inject arbitrary web script or HTML via the file upload functionality. As an authenticated user it is…
- CVE-2025-61599Oct 3, 2025risk 0.00cvss —epss 0.00
Emlog is an open source website building system. A stored Cross-Site Scripting (XSS) vulnerability exists in the "Twitter"feature of EMLOG Pro 2.5.21 and below. An authenticated user with privileges to post a "Twitter" message can inject arbitrary JavaScript code. The malicious…
- CVE-2025-61597Oct 3, 2025risk 0.00cvss —epss 0.00
Emlog is an open source website building system. In versions 2.5.21 and below, an HTML template injection allows stored cross‑site scripting (XSS) via the mail template settings. Once a malicious payload is saved, any subsequent visit to the settings page in an authenticated…
- CVE-2025-60448Oct 3, 2025risk 0.00cvss —epss 0.00
A stored Cross-Site Scripting (XSS) vulnerability has been discovered in Emlog Pro 2.5.19. The vulnerability exists due to insufficient validation of SVG file uploads in the /admin/media.php component, allowing attackers to upload malicious SVG files containing JavaScript code…
- CVE-2025-44139Aug 1, 2025risk 0.00cvss —epss 0.01
Emlog Pro V2.5.7 is vulnerable to Unrestricted Upload of File with Dangerous Type via /emlog/admin/plugin.php?action=upload_zip
- CVE-2025-53926Jul 16, 2025risk 0.00cvss —epss 0.00
Emlog is an open source website building system. A cross-site scripting (XSS) vulnerability in emlog up to and including pro-2.5.17 allows remote attackers to inject arbitrary web script or HTML via the comment and comname parameters. Reflected XSS requires the victim to send…
- CVE-2025-53925Jul 16, 2025risk 0.00cvss —epss 0.00
Emlog is an open source website building system. A cross-site scripting (XSS) vulnerability in emlog up to and including pro-2.5.17 allows authenticated remote attackers to inject arbitrary web script or HTML via the file upload functionality. As an authenticated user it is…
- CVE-2025-53924Jul 16, 2025risk 0.00cvss —epss 0.00
Emlog is an open source website building system. A cross-site scripting (XSS) vulnerability in emlog up to and including pro-2.5.17 allows authenticated remote attackers to inject arbitrary web script or HTML via the siteurl parameter. It is possible to inject malicious code…
- CVE-2025-53923Jul 16, 2025risk 0.00cvss —epss 0.00
Emlog is an open source website building system. A cross-site scripting (XSS) vulnerability in emlog up to and including pro-2.5.17 allows remote attackers to inject arbitrary web script or HTML via the keyword parameter. Due to lack of sanitization it is possible to inject…
- CVE-2025-47786May 15, 2025risk 0.00cvss —epss 0.00
Emlog is an open source website building system. Version 2.5.13 has a stored cross-site scripting vulnerability that allows any registered user to construct malicious JavaScript, inducing all website users to click. In `/admin/comment.php`, the parameter `perpage_num` is not…
- CVE-2025-47785May 15, 2025risk 0.00cvss —epss 0.01
Emlog is an open source website building system. In versions up to and including 2.5.9, SQL injection occurs because the $origContent parameter in admin/article_save.php is not strictly filtered. Since admin/article_save.php can be accessed by ordinary registered users, this…
- CVE-2025-47787May 15, 2025risk 0.00cvss —epss 0.01
Emlog is an open source website building system. Emlog Pro prior to version 2.5.10 contains a file upload vulnerability. The store.php component contains a critical security flaw where it fails to properly validate the contents of remotely downloaded ZIP plugin files. This…
- CVE-2025-47784May 15, 2025risk 0.00cvss —epss 0.00
Emlog is an open source website building system. Versions 2.5.13 and prior have a deserialization vulnerability. A user who creates a carefully crafted nickname can cause `str_replace` to replace the value of `name_orig` with empty, causing deserialization to fail and return…
- CVE-2025-30372Mar 28, 2025risk 0.00cvss —epss 0.01
Emlog is an open source website building system. Emlog Pro versions pro-2.5.7 and pro-2.5.8 contain an SQL injection vulnerability. `search_controller.php` does not use addslashes after urldecode, allowing the preceeding addslashes to be bypassed by URL double encoding. This…
- CVE-2025-29405Mar 19, 2025risk 0.00cvss —epss 0.00
An arbitrary file upload vulnerability in the component /admin/template.php of emlog pro 2.5.0 and pro 2.5.* allows attackers to execute arbitrary code via uploading a crafted PHP file.
- CVE-2025-29401Mar 19, 2025risk 0.00cvss —epss 0.01
An arbitrary file upload vulnerability in the component /views/plugin.php of emlog pro v2.5.7 allows attackers to execute arbitrary code via uploading a crafted PHP file.
- CVE-2025-25783Feb 26, 2025risk 0.00cvss —epss 0.01
An arbitrary file upload vulnerability in the component admin\plugin.php of Emlog Pro v2.5.3 allows attackers to execute arbitrary code via uploading a crafted Zip file.
- CVE-2025-25825Feb 26, 2025risk 0.00cvss —epss 0.00
A cross-site scripting (XSS) vulnerability in Emlog Pro v2.5.4 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Titile in the article category section.
- CVE-2025-25823Feb 26, 2025risk 0.00cvss —epss 0.00
A cross-site scripting (XSS) vulnerability in Emlog Pro v2.5.4 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the article header at /admin/article.php.
- CVE-2025-25818Feb 26, 2025risk 0.00cvss —epss 0.00
A cross-site scripting (XSS) vulnerability in Emlog Pro v2.5.4 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the postStrVar function at article_save.php.
- CVE-2024-13135Jan 5, 2025risk 0.00cvss —epss 0.00
A vulnerability has been found in Emlog Pro 2.4.3 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /admin/twitter.php of the component Subpage Handler. The manipulation leads to cross site scripting. The attack can be launched…
- CVE-2024-13132Jan 5, 2025risk 0.00cvss —epss 0.00
A vulnerability classified as problematic was found in Emlog Pro up to 2.4.3. This vulnerability affects unknown code of the file /admin/article.php of the component Subpage Handler. The manipulation leads to cross site scripting. The attack can be initiated remotely. The…
Page 1 of 2