Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Reflected XSS reachable remotely without attacker privileges but requiring admin victim interaction (UI:R); script escapes into the browser authority (S:C) with limited confidentiality/integrity impact and no availability effect.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Emlog is an open source website building system. In 2.6.13 and earlier, the admin backend user search module's keyword parameter from admin/user.php is processed with addslashes but not HTML-escaped before being rendered into the value attribute in admin/views/user.php, allowing reflected cross-site scripting in an administrator's backend session. No fixed version is currently identified.
AnalysisAI
Reflected cross-site scripting in Emlog 2.6.13 and earlier lets a remote attacker execute arbitrary JavaScript in an authenticated administrator's backend session by luring the admin to open a crafted link that hits the user-search feature in admin/user.php. The keyword parameter is sanitized with addslashes but never HTML-escaped before it is echoed into a value attribute in admin/views/user.php, so injected markup breaks out of the attribute and runs in the admin's browser. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires (1) a victim who is an authenticated Emlog administrator with an active backend session, and (2) that victim to actively open an attacker-crafted link targeting the keyword parameter of admin/user.php (UI:A/required in the CVSS vector) - the attacker themselves needs no account (PR:N). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N) scores 8.5, treating browser-side compromise of admin functionality as high confidentiality/integrity impact; however this is a reflected XSS that hinges on social-engineering an administrator into clicking a crafted URL (UI:A/required), which materially lowers real-world exploitability versus a no-interaction flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a URL to the target Emlog site's admin/user.php with a malicious payload in the keyword search parameter and, via phishing or a planted link, gets a logged-in administrator to open it. The reflected payload breaks out of the value attribute and executes JavaScript in the admin's authenticated session, letting the attacker steal the session/CSRF token or issue backend actions (e.g., create an admin account, modify content) as that administrator. … |
| Remediation | No vendor-released patch identified at time of analysis, so no fixed version can be cited; monitor the vendor advisory at https://github.com/emlog/emlog/security/advisories/GHSA-3h87-c3m2-jpj9 for an official fix. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, restrict administrative access to trusted IP addresses using firewall rules and limit access to the user-search feature in admin/user.php to essential personnel. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44985