MEDIUMCVE-2026-21430

Emlog: CSRF chained with stored XSS leads to ATO

Platform

php

Component

emlog

Fixed in

2.5.24

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026

View on NVD

Save

Emlog is an open source website building system. In version 2.5.23, article creation functionality is vulnerable to cross-site request forgery (CSRF). This can lead to a user being forced to post an article with arbitrary, attacker-controlled content. This, when combined with stored cross-site scripting, leads to account takeover. As of time of publication, no known patched versions are available.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

EPSS

0.03% (9% percentile)

CISA SSVC

Exploitationnone

Automatableyes

Technical Impactpartial

Affected Software

Componentemlog

Vendoremlog

Affected rangeFixed in

= 2.5.23 – = 2.5.232.5.24

Weakness Classification (CWE)

CWE-352 CWE-79

Timeline

Reserved2025-12-29
Published2026-01-02
Modified2026-01-05
EPSS updated2026-03-23

How to fix

Update to a patched version when available. Until then, carefully review and validate all user inputs to prevent XSS. Implement robust CSRF protections on all sensitive operations.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.