CVE-2026-21432
Unknown Unknown - Not Provided
Stored XSS in Emlog 2.5.23 Enables Admin Account Takeover

Publication date: 2026-01-02

Last updated on: 2026-01-02

Assigner: GitHub, Inc.

Description
Emlog is an open source website building system. Version 2.5.23 has a stored cross-site scripting vulnerability that can lead to account takeover, including takeover of admin accounts. As of time of publication, no known patched versions are available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-02
Last Modified
2026-01-02
Generated
2026-06-16
AI Q&A
2026-01-02
EPSS Evaluated
2026-06-15
NVD
CVE-2026-21432
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
emlog emlog 2.5.23
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-21432 is a stored Cross-Site Scripting (XSS) vulnerability in emlog version pro-2.5.23, specifically in the admin comment management page (/admin/comment.php). An attacker with any user role can submit a comment containing malicious XSS code. When an administrator views or interacts with this comment, the malicious code executes, potentially affecting multiple users if the comment is accepted. This can lead to account takeover, including administrator accounts. No patched versions are currently available. [1]

Impact Analysis

This vulnerability can lead to account takeover of users, including administrators, by executing malicious scripts when administrators interact with malicious comments. This compromises the security and control of the website, potentially allowing attackers to gain unauthorized access and control over user accounts and administrative functions. [1]

Detection Guidance

This vulnerability can be detected by monitoring the /admin/comment.php page for comments containing suspicious or malicious XSS payloads submitted by any user role. Since the vulnerability triggers when an administrator views or interacts with such comments, inspecting the comments database or web requests for scripts or unusual payloads in comment content is advisable. Specific commands are not provided in the resources, but manual review or use of web application security scanners targeting stored XSS in comment fields on the admin comment management page can help detect exploitation attempts. [1]

Mitigation Strategies

Immediate mitigation steps include restricting access to the /admin/comment.php page to trusted administrators only, avoiding interaction (such as hovering or clicking reply) with untrusted comments, and monitoring for suspicious comments submitted by any user role. Since no patched versions are available, consider implementing web application firewall (WAF) rules to block or sanitize malicious scripts in comments. Additionally, review and harden user roles and permissions to limit who can post comments. Regular backups and monitoring for unusual account activity are also recommended. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21432. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart