CVE-2026-34788
Received Received - Intake
SQL Injection in Emlog tag_model.php Allows Data Manipulation

Publication date: 2026-04-03

Last updated on: 2026-04-13

Assigner: GitHub, Inc.

Description
Emlog is an open source website building system. In versions 2.6.2 and prior, a SQL injection vulnerability exists in include/model/tag_model.php at line 168. The updateTagName() function directly interpolates user input into the SQL query string without using parameterized queries or proper escaping ($this->db->escape_string()), making it vulnerable to SQL injection attacks. At time of publication, there are no publicly available patches.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-03
Last Modified
2026-04-13
Generated
2026-06-16
AI Q&A
2026-04-04
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34788
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
emlog emlog to 2.6.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Emlog, an open source website building system, specifically in versions 2.6.2 and prior. It is a SQL injection vulnerability found in the updateTagName() function within the file include/model/tag_model.php at line 168. The function directly inserts user input into an SQL query without using parameterized queries or properly escaping the input, which makes it susceptible to SQL injection attacks.

Compliance Impact

The vulnerability is a SQL injection in Emlog versions 2.6.2 and prior, which allows attackers to potentially access or manipulate sensitive data due to improper handling of user input in database queries.

Such vulnerabilities can lead to unauthorized disclosure or alteration of personal or protected health information, which may result in non-compliance with data protection regulations like GDPR and HIPAA that require safeguarding sensitive data against unauthorized access.

However, the provided information does not explicitly state the impact on compliance with these standards.

Mitigation Strategies

Since there are no publicly available patches at the time of publication, immediate mitigation steps include restricting access to the vulnerable functionality, especially limiting high privilege users from interacting with the updateTagName() function.

Additionally, consider implementing web application firewall (WAF) rules to detect and block SQL injection attempts targeting the vulnerable parameter.

Review and audit your codebase to ensure that user inputs are properly escaped or parameterized in SQL queries to prevent injection.

Impact Analysis

The SQL injection vulnerability can allow an attacker with high privileges to manipulate the database by injecting malicious SQL code. This can lead to unauthorized access to sensitive data, modification of data integrity, and potentially compromise the confidentiality and integrity of the system. According to the CVSS score, the impact on confidentiality and integrity is high, though availability is not affected.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34788. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart