CVE-2026-21430
Unknown Unknown - Not Provided
CSRF in Emlog 2.5.23 Article Creation Enables Account Takeover

Publication date: 2026-01-02

Last updated on: 2026-01-02

Assigner: GitHub, Inc.

Description
Emlog is an open source website building system. In version 2.5.23, article creation functionality is vulnerable to cross-site request forgery (CSRF). This can lead to a user being forced to post an article with arbitrary, attacker-controlled content. This, when combined with stored cross-site scripting, leads to account takeover. As of time of publication, no known patched versions are available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-02
Last Modified
2026-01-02
Generated
2026-06-16
AI Q&A
2026-01-02
EPSS Evaluated
2026-06-15
NVD
CVE-2026-21430
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
emlog emlog to 2.5.23 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in emlog version 2.5.23 involves a combination of Cross-Site Request Forgery (CSRF) and stored Cross-Site Scripting (XSS). The article creation functionality lacks CSRF protection, allowing an attacker to force a user (such as an admin) to publish an article containing attacker-controlled content. Because the input sanitization is insufficient, malicious scripts can be embedded in these articles. When a victim views the malicious article, the stored XSS executes, stealing session cookies and enabling the attacker to take over the victim's account. [1]

Impact Analysis

The vulnerability can lead to full account takeover of any user who views the maliciously crafted article. Attackers can hijack user sessions by stealing cookies through the stored XSS payload delivered via CSRF-forced article publication. This compromises user accounts, potentially including administrative accounts, leading to unauthorized access and control over the affected website. [1]

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized POST requests to the endpoint `/emlong/admin/article_save.php` that lack valid CSRF tokens. Network traffic analysis tools can be used to inspect such requests. Additionally, scanning for articles containing suspicious or malicious payloads, such as embedded `<img>` tags with `onerror` events designed to exfiltrate data, can help identify exploitation attempts. Specific commands are not provided in the resources. [1]

Mitigation Strategies

Immediate mitigation steps include restricting access to the article creation functionality to trusted users only, implementing manual review of newly created articles to detect malicious content, and educating users to avoid interacting with untrusted content. Since no patches or fixed versions are available as of the advisory date, applying web application firewalls (WAF) rules to block suspicious POST requests to `/emlong/admin/article_save.php` and monitoring for unusual activity can help reduce risk. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21430. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart