CVE-2026-21430
CSRF in Emlog 2.5.23 Article Creation Enables Account Takeover
Publication date: 2026-01-02
Last updated on: 2026-01-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| emlog | emlog | to 2.5.23 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in emlog version 2.5.23 involves a combination of Cross-Site Request Forgery (CSRF) and stored Cross-Site Scripting (XSS). The article creation functionality lacks CSRF protection, allowing an attacker to force a user (such as an admin) to publish an article containing attacker-controlled content. Because the input sanitization is insufficient, malicious scripts can be embedded in these articles. When a victim views the malicious article, the stored XSS executes, stealing session cookies and enabling the attacker to take over the victim's account. [1]
How can this vulnerability impact me? :
The vulnerability can lead to full account takeover of any user who views the maliciously crafted article. Attackers can hijack user sessions by stealing cookies through the stored XSS payload delivered via CSRF-forced article publication. This compromises user accounts, potentially including administrative accounts, leading to unauthorized access and control over the affected website. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthorized POST requests to the endpoint `/emlong/admin/article_save.php` that lack valid CSRF tokens. Network traffic analysis tools can be used to inspect such requests. Additionally, scanning for articles containing suspicious or malicious payloads, such as embedded `<img>` tags with `onerror` events designed to exfiltrate data, can help identify exploitation attempts. Specific commands are not provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the article creation functionality to trusted users only, implementing manual review of newly created articles to detect malicious content, and educating users to avoid interacting with untrusted content. Since no patches or fixed versions are available as of the advisory date, applying web application firewalls (WAF) rules to block suspicious POST requests to `/emlong/admin/article_save.php` and monitoring for unusual activity can help reduce risk. [1]