CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-47786 – Emlog vulnerable to Stored Cross-site Scripting
https://notcve.org/view.php?id=CVE-2025-47786
15 May 2025 — Emlog is an open source website building system. Version 2.5.13 has a stored cross-site scripting vulnerability that allows any registered user to construct malicious JavaScript, inducing all website users to click. In `/admin/comment.php`, the parameter `perpage_num` is not validated and is directly stored in the `admin_commend_perpage_num` field of the `emlog_options` table in the database. Moreover, the output is not filtered, resulting in the direct output of malicious code. As of time of publication, i... • https://github.com/emlog/emlog/security/advisories/GHSA-82qc-9vg7-2c6c • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.7EPSS: 0%CPEs: 1EXPL: 0CVE-2025-47785 – EMLOG SQL Injection Vulnerability
https://notcve.org/view.php?id=CVE-2025-47785
15 May 2025 — Emlog is an open source website building system. In versions up to and including 2.5.9, SQL injection occurs because the $origContent parameter in admin/article_save.php is not strictly filtered. Since admin/article_save.php can be accessed by ordinary registered users, this will cause SQL injection to occur when the registered site is enabled, resulting in the injection of the admin account and password, which is then exploited by the backend remote code execution. As of time of publication, it is unknown ... • https://github.com/emlog/emlog/security/advisories/GHSA-939m-47f7-m559 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-47787 – Emlog Pro Contains a File Upload Vulnerability
https://notcve.org/view.php?id=CVE-2025-47787
15 May 2025 — Emlog is an open source website building system. Emlog Pro prior to version 2.5.10 contains a file upload vulnerability. The store.php component contains a critical security flaw where it fails to properly validate the contents of remotely downloaded ZIP plugin files. This insufficient validation allows attackers to execute arbitrary code on the vulnerable system. Version 2.5.10 contains a patch for the issue. • https://github.com/emlog/emlog/commit/691c13e90df2fb35e120f4e0735078bad018eed7 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-47784 – Emlog vulnerable to Deserialization of Untrusted Data
https://notcve.org/view.php?id=CVE-2025-47784
15 May 2025 — Emlog is an open source website building system. Versions 2.5.13 and prior have a deserialization vulnerability. A user who creates a carefully crafted nickname can cause `str_replace` to replace the value of `name_orig` with empty, causing deserialization to fail and return `false`. Commit 9643250802188b791419e3c2188577073256a8a2 fixes the issue. • https://github.com/emlog/emlog/commit/9643250802188b791419e3c2188577073256a8a2 • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 0CVE-2025-30372 – Emlog Pro contains an SQL injection vulnerability.
https://notcve.org/view.php?id=CVE-2025-30372
28 Mar 2025 — Emlog is an open source website building system. Emlog Pro versions pro-2.5.7 and pro-2.5.8 contain an SQL injection vulnerability. `search_controller.php` does not use addslashes after urldecode, allowing the preceeding addslashes to be bypassed by URL double encoding. This could result in potential leakage of sensitive information from the user database. Version pro-2.5.9 fixes the issue. • https://github.com/emlog/emlog/security/advisories/GHSA-w6xc-r6x5-m77c • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-46540
https://notcve.org/view.php?id=CVE-2024-46540
30 Sep 2024 — A remote code execution (RCE) vulnerability in the component /admin/store.php of Emlog Pro before v2.3.15 allows attackers to use remote file downloads and self-extract fucntions to upload webshells to the target server, thereby obtaining system privileges. • https://gist.github.com/microvorld/1c1ef9c3390a5d88a5ede9f9424a8bd2 • CWE-266: Incorrect Privilege Assignment •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-31612
https://notcve.org/view.php?id=CVE-2024-31612
10 Jun 2024 — Emlog pro2.3 is vulnerable to Cross Site Request Forgery (CSRF) via twitter.php which can be used with a XSS vulnerability to access administrator information. Emlog pro2.3 es vulnerable a Cross-Site Request Forgery (CSRF) a través de twitter.php, que puede usarse con una vulnerabilidad XSS para acceder a la información del administrador. • https://github.com/ss122-0ss/cms/blob/main/emlog-csrf.md • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-5043 – Emlog Pro setting.php unrestricted upload
https://notcve.org/view.php?id=CVE-2024-5043
17 May 2024 — A vulnerability was found in Emlog Pro 2.3.4 and classified as critical. Affected by this issue is some unknown functionality of the file admin/setting.php. The manipulation leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. • https://github.com/ssteveez/emlog/blob/main/emlog%20pro%20version%202.3.4%20Admin%20side%20can%20upload%20arbitrary%20files%20and%20getshell.md • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.5EPSS: 81%CPEs: 1EXPL: 0CVE-2024-33752
https://notcve.org/view.php?id=CVE-2024-33752
06 May 2024 — An arbitrary file upload vulnerability exists in emlog pro 2.3.0 and pro 2.3.2 at admin/views/plugin.php that could be exploited by a remote attacker to submit a special request to upload a malicious file to execute arbitrary code. Existe una vulnerabilidad de carga de archivos arbitrarios en emlog pro 2.3.0 y pro 2.3.2 en admin/views/plugin.php que podría ser aprovechada por un atacante remoto para enviar una solicitud especial para cargar un archivo malicioso para ejecutar código arbitrario. • https://github.com/Myanemo/emlogpro/blob/main/emlog%20pro2.3.2%20File%20upload%20to%20getshell.md • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 3.3EPSS: 0%CPEs: 1EXPL: 1CVE-2024-3763 – Emlog Pro Post Tag tag.php cross site scripting
https://notcve.org/view.php?id=CVE-2024-3763
14 Apr 2024 — A vulnerability was found in Emlog Pro 2.2.10. It has been rated as problematic. This issue affects some unknown processing of the file /admin/tag.php of the component Post Tag Handler. The manipulation leads to cross site scripting. The attack may be initiated remotely. • https://github.com/fubxx/CVE/blob/main/Emlog-XSS2.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •