Which versions of Emlog are affected by CVE-2025-47784?

Organizations using Emlog should be aware of notable risk from CVE-2025-47784, a insecure deserialization vulnerability rated CVSS 6.6.. A patch is available.

How to fix or mitigate CVE-2025-47784?

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Vendor patch is available.

Emlog CVE-2025-47784

Q: What is the CVSS score of CVE-2025-47784?

CVE-2025-47784 has a CVSS 4.0 base score of 6.6 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.8%.

MEDIUM

Deserialization of Untrusted Data (CWE-502)

2025-05-15 security-advisories@github.com

Deserialization Emlog

6.6

CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

6.6 MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 18:42 vuln.today

Patch released

Mar 28, 2026 - 18:42 nvd

Patch available

CVE Published

May 15, 2025 - 20:16 nvd

MEDIUM 6.6

DescriptionGitHub Advisory

Emlog is an open source website building system. Versions 2.5.13 and prior have a deserialization vulnerability. A user who creates a carefully crafted nickname can cause str_replace to replace the value of name_orig with empty, causing deserialization to fail and return false. Commit 9643250802188b791419e3c2188577073256a8a2 fixes the issue.

AnalysisAI

Emlog is an open source website building system. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Technical ContextAI

This vulnerability is classified as Deserialization of Untrusted Data (CWE-502), which allows attackers to execute arbitrary code through malicious serialized objects. Emlog is an open source website building system. Versions 2.5.13 and prior have a deserialization vulnerability. A user who creates a carefully crafted nickname can cause str_replace to replace the value of name_orig with empty, causing deserialization to fail and return false. Commit 9643250802188b791419e3c2188577073256a8a2 fixes the issue. Affected products include: Emlog.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Avoid deserializing untrusted data. Use safe serialization formats (JSON). Implement integrity checks and type allowlists.

CVE-2025-47784 vulnerability details – vuln.today

Back