Vulnerabilities
Vulnerable Software
Emlog:  >> Emlog  Security Vulnerabilities
A vulnerability was found in Emlog up to 2.5.7 and classified as problematic. This issue affects some unknown processing of the file /admin/article.php. The manipulation of the argument active_post leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
CVSS Score
3.5
EPSS Score
0.0
Published
2025-06-09
A vulnerability has been found in Emlog Pro 2.5.11 and classified as critical. This vulnerability affects unknown code of the file /include/controller/api_controller.php. The manipulation of the argument tag leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure and confirmed the existence of the vulnerability.
CVSS Score
7.3
EPSS Score
0.0
Published
2025-05-23
Emlog is an open source website building system. Version 2.5.13 has a stored cross-site scripting vulnerability that allows any registered user to construct malicious JavaScript, inducing all website users to click. In `/admin/comment.php`, the parameter `perpage_num` is not validated and is directly stored in the `admin_commend_perpage_num` field of the `emlog_options` table in the database. Moreover, the output is not filtered, resulting in the direct output of malicious code. As of time of publication, it is unclear if a patch exists.
CVSS Score
4.8
EPSS Score
0.0
Published
2025-05-15
Emlog is an open source website building system. Emlog Pro prior to version 2.5.10 contains a file upload vulnerability. The store.php component contains a critical security flaw where it fails to properly validate the contents of remotely downloaded ZIP plugin files. This insufficient validation allows attackers to execute arbitrary code on the vulnerable system. Version 2.5.10 contains a patch for the issue.
CVSS Score
9.8
EPSS Score
0.001
Published
2025-05-15
Emlog is an open source website building system. In versions up to and including 2.5.9, SQL injection occurs because the $origContent parameter in admin/article_save.php is not strictly filtered. Since admin/article_save.php can be accessed by ordinary registered users, this will cause SQL injection to occur when the registered site is enabled, resulting in the injection of the admin account and password, which is then exploited by the backend remote code execution. As of time of publication, it is unknown whether a fix exists.
CVSS Score
8.3
EPSS Score
0.002
Published
2025-05-15
Emlog is an open source website building system. Emlog Pro versions pro-2.5.7 and pro-2.5.8 contain an SQL injection vulnerability. `search_controller.php` does not use addslashes after urldecode, allowing the preceeding addslashes to be bypassed by URL double encoding. This could result in potential leakage of sensitive information from the user database. Version pro-2.5.9 fixes the issue.
CVSS Score
9.8
EPSS Score
0.0
Published
2025-03-28
An arbitrary file upload vulnerability in the component /admin/template.php of emlog pro 2.5.0 and pro 2.5.* allows attackers to execute arbitrary code via uploading a crafted PHP file.
CVSS Score
6.3
EPSS Score
0.001
Published
2025-03-19
An arbitrary file upload vulnerability in the component /views/plugin.php of emlog pro v2.5.7 allows attackers to execute arbitrary code via uploading a crafted PHP file.
CVSS Score
9.8
EPSS Score
0.001
Published
2025-03-19
A cross-site scripting (XSS) vulnerability in Emlog Pro v2.5.4 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the postStrVar function at article_save.php.
CVSS Score
5.1
EPSS Score
0.0
Published
2025-02-26
A cross-site scripting (XSS) vulnerability in Emlog Pro v2.5.4 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the article header at /admin/article.php.
CVSS Score
7.3
EPSS Score
0.0
Published
2025-02-26


Contact Us

Shodan ® - All rights reserved