{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21433", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-12-29T03:00:29.275Z", "datePublished": "2026-01-02T19:00:22.611Z", "dateUpdated": "2026-01-05T20:37:52.330Z"}, "containers": {"cna": {"title": "Emlog vulnerable to Server-Side Request Forgery (SSRF)", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/emlog/emlog/security/advisories/GHSA-6rwr-c8hc-mjj4", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/emlog/emlog/security/advisories/GHSA-6rwr-c8hc-mjj4"}], "affected": [{"vendor": "emlog", "product": "emlog", "versions": [{"version": "<= 2.5.19", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-02T19:00:22.611Z"}, "descriptions": [{"lang": "en", "value": "Emlog is an open source website building system. Versions up to and including 2.5.19 are vulnerable to server-side Out-of-Band (OOB) requests / SSRF via uploaded SVG files. An attacker can upload a crafted SVG to http[:]//emblog/admin/media[.]php which contains external resource references. When the server processes/renders the SVG (thumbnailing, preview, or sanitization), it issues an HTTP request to the attacker-controlled host. Impact: server-side SSRF/OOB leading to internal network probing and potential metadata/credential exposure. As of time of publication, no known patched versions are available."}], "source": {"advisory": "GHSA-6rwr-c8hc-mjj4", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-05T20:30:21.079318Z", "id": "CVE-2026-21433", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-05T20:37:52.330Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21433", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-05T20:30:21.079318Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-05T20:30:21.806Z"}}], "cna": {"title": "Emlog vulnerable to Server-Side Request Forgery (SSRF)", "source": {"advisory": "GHSA-6rwr-c8hc-mjj4", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "emlog", "product": "emlog", "versions": [{"status": "affected", "version": "<= 2.5.19"}]}], "references": [{"url": "https://github.com/emlog/emlog/security/advisories/GHSA-6rwr-c8hc-mjj4", "name": "https://github.com/emlog/emlog/security/advisories/GHSA-6rwr-c8hc-mjj4", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Emlog is an open source website building system. Versions up to and including 2.5.19 are vulnerable to server-side Out-of-Band (OOB) requests / SSRF via uploaded SVG files. An attacker can upload a crafted SVG to http[:]//emblog/admin/media[.]php which contains external resource references. When the server processes/renders the SVG (thumbnailing, preview, or sanitization), it issues an HTTP request to the attacker-controlled host. Impact: server-side SSRF/OOB leading to internal network probing and potential metadata/credential exposure. As of time of publication, no known patched versions are available."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-02T19:00:22.611Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21433", "state": "PUBLISHED", "dateUpdated": "2026-01-05T20:37:52.330Z", "dateReserved": "2025-12-29T03:00:29.275Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-02T19:00:22.611Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:emlog:emlog:*:*:*:*:pro:*:*:*", "matchCriteriaId": "72E4E5DE-A4A2-4326-B8EE-71690D75F7AE", "versionEndIncluding": "2.5.19", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Emlog is an open source website building system. Versions up to and including 2.5.19 are vulnerable to server-side Out-of-Band (OOB) requests / SSRF via uploaded SVG files. An attacker can upload a crafted SVG to http[:]//emblog/admin/media[.]php which contains external resource references. When the server processes/renders the SVG (thumbnailing, preview, or sanitization), it issues an HTTP request to the attacker-controlled host. Impact: server-side SSRF/OOB leading to internal network probing and potential metadata/credential exposure. As of time of publication, no known patched versions are available."}], "id": "CVE-2026-21433", "lastModified": "2026-01-16T18:11:24.493", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-02T19:15:48.187", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/emlog/emlog/security/advisories/GHSA-6rwr-c8hc-mjj4"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T08:32:14.957837+00:00", "value": {"mitigation_remediation": ["Disable or block the upload and rendering of SVG files to prevent external resource references from being processed.", "Implement strict SVG sanitization that removes or rejects any external resource references before thumbnailing or previewing.", "Apply network segmentation or firewall rules to restrict the Emlog application from making outbound HTTP requests to internal IP ranges, mitigating the impact of any SSRF attempts."], "summary": {"action": "Assess Impact", "impact": "Server\u2011Side Request Forgery (SSRF) leading to internal network probing and credential exposure"}, "threat_synthesis": {"affected_systems": "The affected product is Emlog by Emlog, with all released versions up to and including 2.5.19. No patched versions are reported in the advisory, and the vulnerability remains present in these releases.", "description_and_impact": "Emlog, an open\u2011source website builder, is susceptible to Server\u2011Side Request Forgery via uploaded SVG files. A crafted SVG containing external resource references can be uploaded to the admin/media.php endpoint. When the server processes, thumbnails the preview, or sanitizes the file, it automatically requests the external resource, enabling the attacker to force the server to perform HTTP requests to arbitrary hosts. This flaw, classified as CWE\u2011918, can allow an attacker to probe internal network resources and potentially glean sensitive data or credentials from exposed metadata. The vulnerability exists in all releases up to and including version 2.5.19.", "risk_and_exploitability": "The CVSS v3.1 score of 7.7 indicates a high severity for remote exploitation, while the EPSS score of less than 1% suggests that active exploitation is presently rare. The vulnerability is not listed in the CISA KEV catalog, but an attacker who can upload an SVG file to the admin/media.php endpoint can trigger the SSRF. Successful exploitation would allow internal network reconnaissance and may expose internal metadata or credentials. Given the lack of an available patch, the risk to organizations running affected Emlog installations remains significant, especially if the upload functionality is exposed to untrusted users."}}}}, "created": "2026-01-05T10:13:47.005904+00:00", "updated": "2026-04-18T08:45:41.392894+00:00", "vendors": ["emlog", "emlog$PRODUCT$emlog"]}