Main Vulnerability Database Vulnerabilities #VU125574

Cross-site scripting in Emlog Pro - #VU125574

Published: April 9, 2026 / Updated: April 10, 2026

Vulnerability identifier: #VU125574

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Emlog

Affected software:
Emlog Pro

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary script in an administrator context.

The vulnerability exists due to cross-site scripting in the article edit page when rendering stored custom field values. A remote user can submit specially crafted field_keys[] and field_values[] data to execute arbitrary script in an administrator context.

User interaction is required when an administrator or editor opens the article edit page.

Remediation

Install security update from vendor's website.

Sources

https://github.com/emlog/emlog/security/advisories/GHSA-2f3c-php9-w968

Cross-site scripting in Emlog Pro - #VU125574

Detailed vulnerability description

Remediation

Sources

Please verify you're human