CVE-2026-42287
CRITICALEmlog: SQL Injection Vulnerability in log_model.php within addLog() and updateLog() Functions
Title source: cnaDescription
Emlog is an open source website building system. Prior to version 2.6.11, direct SQL injection in article creation and update functions allows attackers to execute arbitrary SQL commands, potentially leading to complete database compromise, data theft, or system destruction. This issue has been patched in version 2.6.11.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/emlog/emlog/security/advisories/GHSA-xxj8-fc63-j3gw
Scores
CVSS v4
10.0
EPSS
0.0025
EPSS Percentile
15.9%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-89
Status
published
Products (1)
emlog/emlog
< 2.6.11
Published
May 08, 2026
Tracked Since
May 09, 2026