{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21430", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-12-29T03:00:29.274Z", "datePublished": "2026-01-02T18:44:24.192Z", "dateUpdated": "2026-01-05T20:38:09.299Z"}, "containers": {"cna": {"title": "Emlog: CSRF chained with stored XSS leads to ATO", "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "lang": "en", "description": "CWE-352: Cross-Site Request Forgery (CSRF)", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "baseScore": 7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/emlog/emlog/security/advisories/GHSA-2g2w-vmg7-pq4q", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/emlog/emlog/security/advisories/GHSA-2g2w-vmg7-pq4q"}], "affected": [{"vendor": "emlog", "product": "emlog", "versions": [{"version": "= 2.5.23", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-02T18:44:24.192Z"}, "descriptions": [{"lang": "en", "value": "Emlog is an open source website building system. In version 2.5.23, article creation functionality is vulnerable to cross-site request forgery (CSRF). This can lead to a user being forced to post an article with arbitrary, attacker-controlled content. This, when combined with stored cross-site scripting, leads to account takeover. As of time of publication, no known patched versions are available."}], "source": {"advisory": "GHSA-2g2w-vmg7-pq4q", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-05T20:32:31.928774Z", "id": "CVE-2026-21430", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-05T20:38:09.299Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21430", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-05T20:32:31.928774Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-05T20:32:32.603Z"}}], "cna": {"title": "Emlog: CSRF chained with stored XSS leads to ATO", "source": {"advisory": "GHSA-2g2w-vmg7-pq4q", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:P", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "emlog", "product": "emlog", "versions": [{"status": "affected", "version": "= 2.5.23"}]}], "references": [{"url": "https://github.com/emlog/emlog/security/advisories/GHSA-2g2w-vmg7-pq4q", "name": "https://github.com/emlog/emlog/security/advisories/GHSA-2g2w-vmg7-pq4q", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Emlog is an open source website building system. In version 2.5.23, article creation functionality is vulnerable to cross-site request forgery (CSRF). This can lead to a user being forced to post an article with arbitrary, attacker-controlled content. This, when combined with stored cross-site scripting, leads to account takeover. As of time of publication, no known patched versions are available."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352: Cross-Site Request Forgery (CSRF)"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-02T18:44:24.192Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21430", "state": "PUBLISHED", "dateUpdated": "2026-01-05T20:38:09.299Z", "dateReserved": "2025-12-29T03:00:29.274Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-02T18:44:24.192Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:emlog:emlog:2.5.23:*:*:*:pro:*:*:*", "matchCriteriaId": "CBBD3D75-C2B3-4727-9B9E-6408956E4ADB", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Emlog is an open source website building system. In version 2.5.23, article creation functionality is vulnerable to cross-site request forgery (CSRF). This can lead to a user being forced to post an article with arbitrary, attacker-controlled content. This, when combined with stored cross-site scripting, leads to account takeover. As of time of publication, no known patched versions are available."}], "id": "CVE-2026-21430", "lastModified": "2026-01-16T19:07:18.667", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.8, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "HIGH", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-02T19:15:47.697", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/emlog/emlog/security/advisories/GHSA-2g2w-vmg7-pq4q"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-352"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T08:33:09.508900+00:00", "value": {"mitigation_remediation": ["Add CSRF token validation to the article creation endpoint to ensure only legitimate form submissions are processed", "Sanitize and escape all user\u2011submitted article content before rendering to prevent stored XSS attacks", "If a quick custom patch is unattainable, disable the article creation feature for affected users until a secure version is deployed"], "summary": {"action": "Patch urgently", "impact": "Account Takeover via CSRF chained with stored XSS"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Emlog version 2.5.23, specifically the Pro build as identified by the associated CPE string. Users running this exact version without the optional CSRF guard or input sanitization are exposed.", "description_and_impact": "The flaw lies in the article creation controller, which accepts a POST request without verifying a CSRF token. This permits an attacker to force a logged\u2011in user to submit an arbitrary article. When that article is stored and later rendered without sufficient output encoding, the payload executes as a script in the victim\u2019s browser, enabling the attacker to hijack the account and perform arbitrary actions such as modifying content or resetting credentials. The combination of a request forgery with a storage vulnerability results in a direct account takeover path.", "risk_and_exploitability": "The CVSS v3 base score of 7.0 classifies the flaw as high severity, while the EPSS score of less than 1% indicates that publicly observed exploitation attempts are extremely rare. However, the attack requires the victim to be authenticated and to visit a crafted page, a scenario that is feasible for attackers with social engineering or click\u2011through malware capabilities. The flaw is not listed in the current KEV catalog, suggesting no widespread active exploitation at present. Nonetheless the risk of exploitation remains due to the simplicity of the trigger and the potentially severe consequences."}}}}, "created": "2026-01-05T10:13:44.463123+00:00", "updated": "2026-04-18T08:45:41.394334+00:00", "vendors": ["emlog", "emlog$PRODUCT$emlog"]}