Main Vulnerability Database Vulnerabilities #VU125573

Cross-site scripting in Emlog Pro - #VU125573

Published: April 9, 2026 / Updated: April 10, 2026

Vulnerability identifier: #VU125573

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Emlog

Affected software:
Emlog Pro

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary script code in the administrator's browser.

The vulnerability exists due to cross-site scripting and missing request validation in link management when handling a forged request that creates a crafted link entry and later rendering the icon field. A remote attacker can submit a specially crafted request to execute arbitrary script code in the administrator's browser.

Exploitation requires an administrator to be logged in and to open the link management page after the crafted entry has been created.

Remediation

Install security update from vendor's website.

Sources

https://github.com/emlog/emlog/security/advisories/GHSA-pwhm-5qv9-2mw4

Cross-site scripting in Emlog Pro - #VU125573

Detailed vulnerability description

Remediation

Sources

Please verify you're human