{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34229", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-26T16:22:29.034Z", "datePublished": "2026-04-03T22:31:44.971Z", "dateUpdated": "2026-04-06T19:02:14.476Z"}, "containers": {"cna": {"title": "Emlog: Stored XSS in Comment Module via URI Scheme Validation Bypass", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/emlog/emlog/security/advisories/GHSA-74gp-xh6w-hqw6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/emlog/emlog/security/advisories/GHSA-74gp-xh6w-hqw6"}, {"name": "https://github.com/emlog/emlog/commit/a12ab1b1a273fe634abab32fd28274c18bd57f07", "tags": ["x_refsource_MISC"], "url": "https://github.com/emlog/emlog/commit/a12ab1b1a273fe634abab32fd28274c18bd57f07"}], "affected": [{"vendor": "emlog", "product": "emlog", "versions": [{"version": "< 2.6.8", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-03T22:31:44.971Z"}, "descriptions": [{"lang": "en", "value": "Emlog is an open source website building system. Prior to version 2.6.8, there is a stored cross-site scripting (XSS) vulnerability in emlog comment module via URI scheme validation bypass. This issue has been patched in version 2.6.8."}], "source": {"advisory": "GHSA-74gp-xh6w-hqw6", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-06T19:00:22.723151Z", "id": "CVE-2026-34229", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T19:02:14.476Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34229", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-06T19:00:22.723151Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T19:02:10.523Z"}}], "cna": {"title": "Emlog: Stored XSS in Comment Module via URI Scheme Validation Bypass", "source": {"advisory": "GHSA-74gp-xh6w-hqw6", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "emlog", "product": "emlog", "versions": [{"status": "affected", "version": "< 2.6.8"}]}], "references": [{"url": "https://github.com/emlog/emlog/security/advisories/GHSA-74gp-xh6w-hqw6", "name": "https://github.com/emlog/emlog/security/advisories/GHSA-74gp-xh6w-hqw6", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/emlog/emlog/commit/a12ab1b1a273fe634abab32fd28274c18bd57f07", "name": "https://github.com/emlog/emlog/commit/a12ab1b1a273fe634abab32fd28274c18bd57f07", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Emlog is an open source website building system. Prior to version 2.6.8, there is a stored cross-site scripting (XSS) vulnerability in emlog comment module via URI scheme validation bypass. This issue has been patched in version 2.6.8."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-03T22:31:44.971Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34229", "state": "PUBLISHED", "dateUpdated": "2026-04-06T19:02:14.476Z", "dateReserved": "2026-03-26T16:22:29.034Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-03T22:31:44.971Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:emlog:emlog:*:*:*:*:pro:*:*:*", "matchCriteriaId": "DB302EB6-E672-4C36-854F-5329119B5C96", "versionEndExcluding": "2.6.8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Emlog is an open source website building system. Prior to version 2.6.8, there is a stored cross-site scripting (XSS) vulnerability in emlog comment module via URI scheme validation bypass. This issue has been patched in version 2.6.8."}], "id": "CVE-2026-34229", "lastModified": "2026-04-13T17:37:40.193", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-03T23:17:04.270", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/emlog/emlog/commit/a12ab1b1a273fe634abab32fd28274c18bd57f07"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/emlog/emlog/security/advisories/GHSA-74gp-xh6w-hqw6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.6.8)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "emlog", "source": "cna", "vendor": "emlog"}, "product": "emlog", "vendor": "emlog"}], "analysis": {"en": {"generated_at": "2026-04-13T18:27:04.252490+00:00", "value": {"mitigation_remediation": ["Upgrade emlog to version 2.6.8 or later", "If upgrade is not immediately possible, disable or moderate the comment feature to prevent unauthenticated submissions", "Validate or sanitize all comment input to remove dangerous URI schemes", "Monitor web traffic for unexpected script execution or defacement"], "summary": {"action": "Patch Update", "impact": "Stored Cross\u2011Site Scripting (XSS)"}, "threat_synthesis": {"affected_systems": "emlog version 2.6.8 or higher addresses the issue. All installations using emlog prior to 2.6.8, including the \"pro\" edition, are affected. The vulnerability was identified in the open\u2011source website building system known as emlog, and the affected CPE suggests the product is under the namespace cpe:2.3:a:emlog:emlog:. Users should verify their installed version against the upstream release notes. ", "description_and_impact": "Stored cross\u2011site scripting (XSS) exists in the comment module of emlog due to a bypass in URI scheme validation. This flaw allows a malicious actor to embed JavaScript payloads in comments that are subsequently rendered in other users' browsers. The impact includes cookie theft, session hijacking, defacement of the site, or redirection to malicious sites, thereby compromising confidentiality, integrity, and availability of the affected web application. The weakness corresponds to CWE\u201179, which denotes an unsafe handling of untrusted input in web contexts. ", "risk_and_exploitability": "With a CVSS score of 6.1, the flaw poses a moderate threat level. The EPSS score below 1% indicates a low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Exploitation would typically involve submitting a comment containing malicious JavaScript, either through authenticated user input or through an unauthenticated commenting interface if the site does not enforce proper access controls. Attackers would then rely on victim browsers to execute the script, giving them the surface described above. "}}}}, "created": "2026-04-06T21:22:09.018995+00:00", "updated": "2026-04-14T16:41:37.293955+00:00", "vendors": ["emlog", "emlog$PRODUCT$emlog"]}