CVE-2026-21431
Stored XSS in Emlog 2.5.23 Media Library Allows Persistent Injection
Publication date: 2026-01-02
Last updated on: 2026-01-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| emlog | emlog | to 2.5.23 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-21431 is a stored Cross-Site Scripting (XSS) vulnerability in the Resource media library function of emlog version 2.5.23. An attacker can upload an image file with a maliciously crafted filename containing JavaScript code. When an administrator later publishes an article and interacts with this image in the media library, the embedded script executes in the administrator's browser, potentially stealing cookies and enabling session hijacking or other malicious actions. [1]
How can this vulnerability impact me? :
This vulnerability can lead to the theft of administrator cookies, which may allow attackers to hijack administrator sessions. This can result in unauthorized access to the website's administrative functions, potentially leading to further compromise of the website, data manipulation, or other malicious activities. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by inspecting uploaded image filenames in the Resource media library for suspicious patterns that include embedded JavaScript code, such as filenames containing sequences like `><img src=1 onerror=alert(document.cookie)>.jpg`. There are no specific commands provided, but searching the media library upload directory or database for filenames matching patterns with HTML tags or JavaScript event handlers could help identify potential exploit attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding the use of the Resource media library to select or hover over uploaded images with untrusted filenames, restricting upload permissions to trusted users only, and sanitizing or validating filenames of uploaded media to prevent inclusion of malicious scripts. Since no patched versions are available, administrators should exercise caution when publishing articles using the media library and consider removing or renaming suspicious files. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows theft of administrator cookies through stored cross-site scripting, potentially leading to session hijacking and unauthorized access. Such unauthorized access and data exposure could result in non-compliance with standards like GDPR and HIPAA, which require protection of personal and sensitive data. However, no specific compliance impact is detailed in the provided resources. [1]