CVE-2026-34788
SQL Injection in Emlog tag_model.php Allows Data Manipulation
Publication date: 2026-04-03
Last updated on: 2026-04-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| emlog | emlog | to 2.6.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Emlog, an open source website building system, specifically in versions 2.6.2 and prior. It is a SQL injection vulnerability found in the updateTagName() function within the file include/model/tag_model.php at line 168. The function directly inserts user input into an SQL query without using parameterized queries or properly escaping the input, which makes it susceptible to SQL injection attacks.
How can this vulnerability impact me? :
The SQL injection vulnerability can allow an attacker with high privileges to manipulate the database by injecting malicious SQL code. This can lead to unauthorized access to sensitive data, modification of data integrity, and potentially compromise the confidentiality and integrity of the system. According to the CVSS score, the impact on confidentiality and integrity is high, though availability is not affected.
What immediate steps should I take to mitigate this vulnerability?
Since there are no publicly available patches at the time of publication, immediate mitigation steps include restricting access to the vulnerable functionality, especially limiting high privilege users from interacting with the updateTagName() function.
Additionally, consider implementing web application firewall (WAF) rules to detect and block SQL injection attempts targeting the vulnerable parameter.
Review and audit your codebase to ensure that user inputs are properly escaped or parameterized in SQL queries to prevent injection.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability is a SQL injection in Emlog versions 2.6.2 and prior, which allows attackers to potentially access or manipulate sensitive data due to improper handling of user input in database queries.
Such vulnerabilities can lead to unauthorized disclosure or alteration of personal or protected health information, which may result in non-compliance with data protection regulations like GDPR and HIPAA that require safeguarding sensitive data against unauthorized access.
However, the provided information does not explicitly state the impact on compliance with these standards.