CVSS: 8.7EPSS: 0%CPEs: 1EXPL: 0CVE-2025-47785 – EMLOG SQL Injection Vulnerability
https://notcve.org/view.php?id=CVE-2025-47785
15 May 2025 — Emlog is an open source website building system. In versions up to and including 2.5.9, SQL injection occurs because the $origContent parameter in admin/article_save.php is not strictly filtered. Since admin/article_save.php can be accessed by ordinary registered users, this will cause SQL injection to occur when the registered site is enabled, resulting in the injection of the admin account and password, which is then exploited by the backend remote code execution. As of time of publication, it is unknown ... • https://github.com/emlog/emlog/security/advisories/GHSA-939m-47f7-m559 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-47787 – Emlog Pro Contains a File Upload Vulnerability
https://notcve.org/view.php?id=CVE-2025-47787
15 May 2025 — Emlog is an open source website building system. Emlog Pro prior to version 2.5.10 contains a file upload vulnerability. The store.php component contains a critical security flaw where it fails to properly validate the contents of remotely downloaded ZIP plugin files. This insufficient validation allows attackers to execute arbitrary code on the vulnerable system. Version 2.5.10 contains a patch for the issue. • https://github.com/emlog/emlog/commit/691c13e90df2fb35e120f4e0735078bad018eed7 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-47784 – Emlog vulnerable to Deserialization of Untrusted Data
https://notcve.org/view.php?id=CVE-2025-47784
15 May 2025 — Emlog is an open source website building system. Versions 2.5.13 and prior have a deserialization vulnerability. A user who creates a carefully crafted nickname can cause `str_replace` to replace the value of `name_orig` with empty, causing deserialization to fail and return `false`. Commit 9643250802188b791419e3c2188577073256a8a2 fixes the issue. • https://github.com/emlog/emlog/commit/9643250802188b791419e3c2188577073256a8a2 • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-31612
https://notcve.org/view.php?id=CVE-2024-31612
10 Jun 2024 — Emlog pro2.3 is vulnerable to Cross Site Request Forgery (CSRF) via twitter.php which can be used with a XSS vulnerability to access administrator information. Emlog pro2.3 es vulnerable a Cross-Site Request Forgery (CSRF) a través de twitter.php, que puede usarse con una vulnerabilidad XSS para acceder a la información del administrador. • https://github.com/ss122-0ss/cms/blob/main/emlog-csrf.md • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-3968 – emlog article_save.php cross site scripting
https://notcve.org/view.php?id=CVE-2022-3968
13 Nov 2022 — A vulnerability has been found in emlog and classified as problematic. Affected by this vulnerability is an unknown functionality of the file admin/article_save.php. The manipulation of the argument tag leads to cross site scripting. The attack can be launched remotely. The name of the patch is 5bf7a79826e0ea09bcc8a21f69a0c74107761a02. • https://github.com/emlog/emlog/commit/5bf7a79826e0ea09bcc8a21f69a0c74107761a02 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-707: Improper Neutralization •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 1CVE-2019-17073
https://notcve.org/view.php?id=CVE-2019-17073
01 Oct 2019 — emlog through 6.0.0beta allows remote authenticated users to delete arbitrary files via admin/template.php?action=del&tpl=../ directory traversal. emlog versiones hasta 6.0.0beta, permite a los usuarios identificados remotos eliminar archivos arbitrarios por medio del salto de directorio de admin/template.php?action=del&tpl=../. • https://github.com/emlog/emlog/issues/49 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 2%CPEs: 2EXPL: 1CVE-2019-16868
https://notcve.org/view.php?id=CVE-2019-16868
25 Sep 2019 — emlog through 6.0.0beta has an arbitrary file deletion vulnerability via an admin/data.php?action=dell_all_bak request with directory traversal sequences in the bak[] parameter. emlog hasta la versión 6.0.0beta tiene una vulnerabilidad de eliminación de archivos arbitraria en la petición admin/data.php?action=dell_all_bak con secuencias de salto de directorio en el parámetro bak[]. • https://github.com/emlog/emlog/issues/48 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •