Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-47786

Emlog is an open source website building system. Version 2.5.13 has a stored cross-site scripting vulnerability that allows any registered user to construct malicious JavaScript, inducing all website users to click. In `/admin/comment.php`, the parameter `perpage_num` is not validated and is directly stored in the `admin_commend_perpage_num` field of the `emlog_options` table in the database. Moreover, the output is not filtered, resulting in the direct output of malicious code. As of time of publication, it is unclear if a patch exists.

Published

2025-05-15T20:16:09.077

Last Modified

2025-06-12T16:39:25.020

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 4.8 (MEDIUM)

Weaknesses

Type: Secondary
CWE-79

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	emlog	emlog	2.5.13	Yes

References

https://github.com/emlog/emlog/security/advisories/GHSA-82qc-9vg7-2c6c Exploit, Vendor Advisory ([email protected])
https://github.com/emlog/emlog/security/advisories/GHSA-82qc-9vg7-2c6c Exploit, Vendor Advisory (134c704f-9b21-4f2e-91b3-4a467353bcc0)