CVE-2026-21431

5.4 MEDIUM

Cross-Site Scripting

📋 TL;DR

Emlog 2.5.23 has a stored cross-site scripting vulnerability in the Resource Media Library function when publishing articles. This allows attackers to inject malicious scripts that execute when users view affected articles. All Emlog 2.5.23 installations using the media library feature are vulnerable.

💻 Affected Systems

Products:

• Emlog

Versions: Version 2.5.23

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations using the Resource Media Library function when publishing articles.

📦 What is this software?

Emlog by Emlog

View all CVEs affecting Emlog →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator session cookies, perform actions as authenticated users, deface websites, or redirect users to malicious sites.

🟠

Likely Case

Attackers inject malicious JavaScript to steal user session cookies or credentials, potentially compromising administrator accounts.

🟢

If Mitigated

With proper input validation and output encoding, the script payloads would be rendered harmless as text rather than executable code.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access to publish articles with media library functionality.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: None available

Vendor Advisory: https://github.com/emlog/emlog/security/advisories/GHSA-9vc2-crhr-248x

Restart Required: No

Instructions:

No official patch available. Monitor the Emlog GitHub repository for security updates and patch when available.

🔧 Temporary Workarounds

Disable Media Library Uploads

all

Temporarily disable the Resource Media Library function to prevent exploitation

Copy

Modify Emlog configuration to disable media uploads or restrict to trusted users only

Implement Content Security Policy

all

Add CSP headers to restrict script execution

Copy

Add 'Content-Security-Policy: script-src 'self'' to web server headers

🧯 If You Can't Patch

• Implement web application firewall rules to block XSS payloads in media uploads
• Restrict article publishing permissions to trusted administrators only

🔍 How to Verify

Check if Vulnerable:

Copy

Check if running Emlog version 2.5.23 and using the Resource Media Library function

Check Version:

Copy

Check Emlog admin panel or version.php file for version information

Verify Fix Applied:

Copy

Test media library uploads with XSS payloads to ensure they're properly sanitized

📡 Detection & Monitoring

Log Indicators:

• Unusual media uploads with script tags or JavaScript payloads
• Multiple failed upload attempts with suspicious content

Network Indicators:

• HTTP POST requests to media upload endpoints containing script tags

SIEM Query:

Copy

web_requests WHERE url_path CONTAINS '/admin/media/' AND request_body CONTAINS '<script' OR 'javascript:'

📊 Metadata

CVE ID: CVE-2026-21431

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.04% exploit probability (9.9th percentile)

Published: January 2, 2026

Last Updated: January 16, 2026

🔗 References

• https://github.com/emlog/emlog/security/advisories/GHSA-9vc2-crhr-248x Exploit,Vendor Advisory

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-21431, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)

CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)

CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)