{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-53926", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-07-14T17:23:35.258Z", "datePublished": "2025-07-16T15:37:44.789Z", "dateUpdated": "2025-07-16T15:55:28.326Z"}, "containers": {"cna": {"title": "Emlog has Stored Cross-site Scripting vulnerability due to error", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/emlog/emlog/security/advisories/GHSA-g8jx-pj5p-fm3x", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/emlog/emlog/security/advisories/GHSA-g8jx-pj5p-fm3x"}], "affected": [{"vendor": "emlog", "product": "emlog", "versions": [{"version": "<= pro-2.5.17", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-07-16T15:37:44.789Z"}, "descriptions": [{"lang": "en", "value": "Emlog is an open source website building system. A cross-site scripting (XSS) vulnerability in emlog up to and including pro-2.5.17 allows remote attackers to inject arbitrary web script or HTML via the comment and comname parameters. Reflected XSS requires the victim to send POST requests, therefore the victim must be persuaded into clicking into sent URL. As of time of publication, no known patched versions exist."}], "source": {"advisory": "GHSA-g8jx-pj5p-fm3x", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/emlog/emlog/security/advisories/GHSA-g8jx-pj5p-fm3x", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-16T15:55:24.219800Z", "id": "CVE-2025-53926", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-16T15:55:28.326Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-53926", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-07-16T15:55:24.219800Z"}}}], "references": [{"url": "https://github.com/emlog/emlog/security/advisories/GHSA-g8jx-pj5p-fm3x", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-16T15:55:19.607Z"}}], "cna": {"title": "Emlog has Stored Cross-site Scripting vulnerability due to error", "source": {"advisory": "GHSA-g8jx-pj5p-fm3x", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "emlog", "product": "emlog", "versions": [{"status": "affected", "version": "<= pro-2.5.17"}]}], "references": [{"url": "https://github.com/emlog/emlog/security/advisories/GHSA-g8jx-pj5p-fm3x", "name": "https://github.com/emlog/emlog/security/advisories/GHSA-g8jx-pj5p-fm3x", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Emlog is an open source website building system. A cross-site scripting (XSS) vulnerability in emlog up to and including pro-2.5.17 allows remote attackers to inject arbitrary web script or HTML via the comment and comname parameters. Reflected XSS requires the victim to send POST requests, therefore the victim must be persuaded into clicking into sent URL. As of time of publication, no known patched versions exist."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-07-16T15:37:44.789Z"}}}, "cveMetadata": {"cveId": "CVE-2025-53926", "state": "PUBLISHED", "dateUpdated": "2025-07-16T15:55:28.326Z", "dateReserved": "2025-07-14T17:23:35.258Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-07-16T15:37:44.789Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:emlog:emlog:*:*:*:*:pro:*:*:*", "matchCriteriaId": "1EFAF54A-ED0B-426F-9128-643A8184191F", "versionEndIncluding": "2.5.17", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Emlog is an open source website building system. A cross-site scripting (XSS) vulnerability in emlog up to and including pro-2.5.17 allows remote attackers to inject arbitrary web script or HTML via the comment and comname parameters. Reflected XSS requires the victim to send POST requests, therefore the victim must be persuaded into clicking into sent URL. As of time of publication, no known patched versions exist."}, {"lang": "es", "value": "Emlog es un sistema de c\u00f3digo abierto para la creaci\u00f3n de sitios web. Una vulnerabilidad de cross-site scripting (XSS) en emlog, hasta la versi\u00f3n pro-2.5.17 incluida, permite a atacantes remotos inyectar c\u00f3digo web o HTML arbitrario mediante los par\u00e1metros comment y comname. El XSS reflejado requiere que la v\u00edctima env\u00ede solicitudes POST, por lo que debe ser persuadida para que haga clic en la URL enviada. Al momento de la publicaci\u00f3n, no se conoc\u00edan versiones parcheadas."}], "id": "CVE-2025-53926", "lastModified": "2025-08-14T20:37:42.590", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-07-16T16:15:27.677", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/emlog/emlog/security/advisories/GHSA-g8jx-pj5p-fm3x"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/emlog/emlog/security/advisories/GHSA-g8jx-pj5p-fm3x"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}