Emlog Emlog
31 CVEs affecting Emlog Emlog. Latest disclosed: 2026-05-08. Critical: 0, High: 6.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2025-47785 | High | 8.3 | 2025-05-15 | Emlog is an open source website building system. In versions up to and including 2.5.9, SQL injection occurs because the $origContent parameter in admin/articl… |
CVE-2025-53923 | High | 8.2 | 2025-07-16 | Emlog is an open source website building system. A cross-site scripting (XSS) vulnerability in emlog up to and including pro-2.5.17 allows remote attackers to… |
CVE-2025-61930 | High | 8.1 | 2025-10-10 | Emlog is an open source website building system. Emlog Pro versions 2.5.19 and earlier are vulnerable to Cross‑Site Request Forgery (CSRF) on the password chan… |
CVE-2026-21433 | High | 7.7 | 2026-01-02 | Emlog is an open source website building system. Versions up to and including 2.5.19 are vulnerable to server-side Out-of-Band (OOB) requests / SSRF via upload… |
CVE-2025-61597 | High | 7.6 | 2025-10-03 | Emlog is an open source website building system. In versions 2.5.21 and below, an HTML template injection allows stored cross‑site scripting (XSS) via the mail… |
CVE-2026-34607 | High | 7.2 | 2026-04-03 | Emlog is an open source website building system. In versions 2.6.2 and prior, a path traversal vulnerability exists in the emUnZip() function (include/lib/comm… |
CVE-2025-53924 | Medium | 6.9 | 2025-07-16 | Emlog is an open source website building system. A cross-site scripting (XSS) vulnerability in emlog up to and including pro-2.5.17 allows authenticated remote… |
CVE-2026-34788 | Medium | 6.5 | 2026-04-03 | Emlog is an open source website building system. In versions 2.6.2 and prior, a SQL injection vulnerability exists in include/model/tag_model.php at line 168… |
CVE-2026-34787 | Medium | 6.5 | 2026-04-03 | Emlog is an open source website building system. In versions 2.6.2 and prior, a Local File Inclusion (LFI) vulnerability exists in admin/plugin.php at line 80… |
CVE-2026-34229 | Medium | 6.1 | 2026-04-03 | Emlog is an open source website building system. Prior to version 2.6.8, there is a stored cross-site scripting (XSS) vulnerability in emlog comment module via… |
CVE-2025-53926 | Medium | 6.1 | 2025-07-16 | Emlog is an open source website building system. A cross-site scripting (XSS) vulnerability in emlog up to and including pro-2.5.17 allows remote attackers to… |
CVE-2025-53925 | Medium | 5.4 | 2025-07-16 | Emlog is an open source website building system. A cross-site scripting (XSS) vulnerability in emlog up to and including pro-2.5.17 allows authenticated remote… |
CVE-2025-9296 | Medium | 4.7 | 2025-08-21 | A security vulnerability has been detected in Emlog Pro up to 2.5.18. This affects an unknown function of the file /admin/blogger.php?action=update_avatar. Suc… |
CVE-2026-21429 | Medium | 4.3 | 2026-01-02 | Emlog is an open source website building system. In version 2.5.23, the admin can set controls which makes users unable to edit or delete their articles after… |
CVE-2025-5886 | Low | 3.5 | 2025-06-09 | A vulnerability was found in Emlog up to 2.5.7 and classified as problematic. This issue affects some unknown processing of the file /admin/article.php. The ma… |
CVE-2026-42287 | | 2026-05-08 | Emlog is an open source website building system. Prior to version 2.6.11, direct SQL injection in article creation and update functions allows attackers to exe… | |
CVE-2026-42286 | | 2026-05-08 | Emlog is an open source website building system. Prior to version 2.6.11, missing CSRF protection in critical admin functions allows attackers to trick authent… | |
CVE-2026-41517 | | 2026-05-08 | Emlog is an open source website building system. Prior to version 2.6.11, insecure plugin upload functionality allows attackers to upload and execute arbitrary… | |
CVE-2026-34228 | | 2026-04-03 | Emlog is an open source website building system. Prior to version 2.6.8, the backend upgrade interface accepts remote SQL and ZIP URLs via GET parameters. The… | |
CVE-2026-31954 | Unrated | | 2026-03-11 | Emlog is an open source website building system. In 2.6.6 and earlier, the delete_async action (asynchronous delete) lacks a call to LoginAuth::checkToken(), e… |