CVE-2025-47786 Information

Description

Emlog is an open source website building system. Version 2.5.13 has a stored cross-site scripting vulnerability that allows any registered user to construct malicious JavaScript inducing all website users to click. In /admin/comment.php the parameter perpage_num is not validated and is directly stored in the admin_commend_perpage_num field of the emlog_options table in the database. Moreover the output is not filtered resulting in the direct output of malicious code. As of time of publication it is unclear if a patch exists.

Reference

https://github.com/emlog/emlog/security/advisories/GHSA-82qc-9vg7-2c6c