CVSS: 8.7EPSS: 0%CPEs: 1EXPL: 0CVE-2025-47785 – EMLOG SQL Injection Vulnerability
https://notcve.org/view.php?id=CVE-2025-47785
15 May 2025 — Emlog is an open source website building system. In versions up to and including 2.5.9, SQL injection occurs because the $origContent parameter in admin/article_save.php is not strictly filtered. Since admin/article_save.php can be accessed by ordinary registered users, this will cause SQL injection to occur when the registered site is enabled, resulting in the injection of the admin account and password, which is then exploited by the backend remote code execution. As of time of publication, it is unknown ... • https://github.com/emlog/emlog/security/advisories/GHSA-939m-47f7-m559 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-47787 – Emlog Pro Contains a File Upload Vulnerability
https://notcve.org/view.php?id=CVE-2025-47787
15 May 2025 — Emlog is an open source website building system. Emlog Pro prior to version 2.5.10 contains a file upload vulnerability. The store.php component contains a critical security flaw where it fails to properly validate the contents of remotely downloaded ZIP plugin files. This insufficient validation allows attackers to execute arbitrary code on the vulnerable system. Version 2.5.10 contains a patch for the issue. • https://github.com/emlog/emlog/commit/691c13e90df2fb35e120f4e0735078bad018eed7 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-47784 – Emlog vulnerable to Deserialization of Untrusted Data
https://notcve.org/view.php?id=CVE-2025-47784
15 May 2025 — Emlog is an open source website building system. Versions 2.5.13 and prior have a deserialization vulnerability. A user who creates a carefully crafted nickname can cause `str_replace` to replace the value of `name_orig` with empty, causing deserialization to fail and return `false`. Commit 9643250802188b791419e3c2188577073256a8a2 fixes the issue. • https://github.com/emlog/emlog/commit/9643250802188b791419e3c2188577073256a8a2 • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-31612
https://notcve.org/view.php?id=CVE-2024-31612
10 Jun 2024 — Emlog pro2.3 is vulnerable to Cross Site Request Forgery (CSRF) via twitter.php which can be used with a XSS vulnerability to access administrator information. Emlog pro2.3 es vulnerable a Cross-Site Request Forgery (CSRF) a través de twitter.php, que puede usarse con una vulnerabilidad XSS para acceder a la información del administrador. • https://github.com/ss122-0ss/cms/blob/main/emlog-csrf.md • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-41619
https://notcve.org/view.php?id=CVE-2023-41619
16 Jan 2024 — Emlog Pro v2.1.14 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /admin/article.php?action=write. Se descubrió que Emlog Pro v2.1.14 contiene una vulnerabilidad de cross site scripting (XSS) a través del componente /admin/article.php?action=write. • https://github.com/GhostBalladw/wuhaozhe-s-CVE/blob/main/CVE-2023-41619 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-41618
https://notcve.org/view.php?id=CVE-2023-41618
13 Dec 2023 — Emlog Pro v2.1.14 was discovered to contain a reflective cross-site scripting (XSS) vulnerability via the component /admin/article.php?active_savedraft. Se descubrió que Emlog Pro v2.1.14 contiene una vulnerabilidad de cross-site scripting (XSS) reflejado a través del componente /admin/article.php?active_savedraft. • https://github.com/GhostBalladw/wuhaozhe-s-CVE/blob/main/CVE-2023-41618 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 5%CPEs: 1EXPL: 1CVE-2023-41621
https://notcve.org/view.php?id=CVE-2023-41621
13 Dec 2023 — A Cross Site Scripting (XSS) vulnerability was discovered in Emlog Pro v2.1.14 via the component /admin/store.php. Se descubrió una vulnerabilidad de Cross Site Scripting (XSS) en Emlog Pro v2.1.14 a través del componente /admin/store.php. • https://github.com/GhostBalladw/wuhaozhe-s-CVE/blob/main/CVE-2023-41621 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 2CVE-2023-41623
https://notcve.org/view.php?id=CVE-2023-41623
12 Dec 2023 — Emlog version pro2.1.14 was discovered to contain a SQL injection vulnerability via the uid parameter at /admin/media.php. Se descubrió que la versión pro2.1.14 de Emlog contenía una vulnerabilidad de inyección SQL a través del parámetro uid en /admin/media.php. • https://github.com/GhostBalladw/wuhaozhe-s-CVE • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-44973
https://notcve.org/view.php?id=CVE-2023-44973
03 Oct 2023 — An arbitrary file upload vulnerability in the component /content/templates/ of Emlog Pro v2.2.0 allows attackers to execute arbitrary code via uploading a crafted PHP file. Una vulnerabilidad de carga de archivos arbitrarios en el componente /content/templates/ de Emlog Pro v2.2.0 permite a los atacantes ejecutar código arbitrario cargando un archivo PHP manipulado. • https://github.com/yangliukk/emlog/blob/main/Template-getshell.md • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 17%CPEs: 1EXPL: 1CVE-2023-44974
https://notcve.org/view.php?id=CVE-2023-44974
03 Oct 2023 — An arbitrary file upload vulnerability in the component /admin/plugin.php of Emlog Pro v2.2.0 allows attackers to execute arbitrary code via uploading a crafted PHP file. Una vulnerabilidad de carga de archivos arbitrarios en el componente /admin/plugin.php de Emlog Pro v2.2.0 permite a los atacantes ejecutar código arbitrario cargando un archivo PHP manipulado. • https://github.com/yangliukk/emlog/blob/main/Plugin-getshell.md • CWE-434: Unrestricted Upload of File with Dangerous Type •