What is the CVSS score of CVE-2025-61597?

CVE-2025-61597 has a CVSS 3.1 base score of 7.6 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L. EPSS exploitation probability: 0.0%.

Which versions of Emlog are affected by CVE-2025-61597?

Organizations using Emlog face notable risk from CVE-2025-61597, a cross-site scripting vulnerability rated CVSS 7.6.. A patch is available.

Is there a public PoC exploit available for CVE-2025-61597?

Yes, a public proof-of-concept exploit is available for CVE-2025-61597. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2025-61597?

Within 7 days: Identify all affected systems and apply vendor patches promptly. Verify anti-CSRF tokens and content security policies are enforced.

Emlog CVE-2025-61597

EUVD-2025-33213 HIGH

Cross-site Scripting (XSS) (CWE-79)

2025-10-03 security-advisories@github.com

XSS Emlog

7.6

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.6 HIGH

AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

Low

Lifecycle Timeline

EUVD ID Assigned

Mar 13, 2026 - 19:29 euvd

EUVD-2025-33213

Analysis Generated

Mar 13, 2026 - 19:29 vuln.today

PoC Detected

Oct 20, 2025 - 17:50 vuln.today

Public exploit code

Patch released

Oct 20, 2025 - 17:50 nvd

Patch available

CVE Published

Oct 03, 2025 - 07:15 nvd

HIGH 7.6

DescriptionGitHub Advisory

Emlog is an open source website building system. In versions 2.5.21 and below, an HTML template injection allows stored cross‑site scripting (XSS) via the mail template settings. Once a malicious payload is saved, any subsequent visit to the settings page in an authenticated admin context will execute attacker‑controlled JavaScript, enabling session/token theft and full admin account takeover. This issue is fixed in version 2.5.22.

Analysis

Technical ContextAI

Cross-site scripting (XSS) allows injection of client-side scripts into web pages viewed by other users due to insufficient output encoding.

RemediationAI

A vendor patch is available — apply it immediately. Encode all user-supplied output contextually (HTML, JS, URL). Implement Content Security Policy (CSP) headers. Use HTTPOnly and Secure cookie flags.

CVE-2025-61597 vulnerability details – vuln.today

Back