{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34229", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-26T16:22:29.034Z", "datePublished": "2026-04-03T22:31:44.971Z", "dateUpdated": "2026-04-06T19:02:14.476Z"}, "containers": {"cna": {"title": "Emlog: Stored XSS in Comment Module via URI Scheme Validation Bypass", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/emlog/emlog/security/advisories/GHSA-74gp-xh6w-hqw6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/emlog/emlog/security/advisories/GHSA-74gp-xh6w-hqw6"}, {"name": "https://github.com/emlog/emlog/commit/a12ab1b1a273fe634abab32fd28274c18bd57f07", "tags": ["x_refsource_MISC"], "url": "https://github.com/emlog/emlog/commit/a12ab1b1a273fe634abab32fd28274c18bd57f07"}], "affected": [{"vendor": "emlog", "product": "emlog", "versions": [{"version": "< 2.6.8", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-03T22:31:44.971Z"}, "descriptions": [{"lang": "en", "value": "Emlog is an open source website building system. Prior to version 2.6.8, there is a stored cross-site scripting (XSS) vulnerability in emlog comment module via URI scheme validation bypass. This issue has been patched in version 2.6.8."}], "source": {"advisory": "GHSA-74gp-xh6w-hqw6", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-06T19:00:22.723151Z", "id": "CVE-2026-34229", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T19:02:14.476Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34229", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-06T19:00:22.723151Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T19:02:10.523Z"}}], "cna": {"title": "Emlog: Stored XSS in Comment Module via URI Scheme Validation Bypass", "source": {"advisory": "GHSA-74gp-xh6w-hqw6", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "emlog", "product": "emlog", "versions": [{"status": "affected", "version": "< 2.6.8"}]}], "references": [{"url": "https://github.com/emlog/emlog/security/advisories/GHSA-74gp-xh6w-hqw6", "name": "https://github.com/emlog/emlog/security/advisories/GHSA-74gp-xh6w-hqw6", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/emlog/emlog/commit/a12ab1b1a273fe634abab32fd28274c18bd57f07", "name": "https://github.com/emlog/emlog/commit/a12ab1b1a273fe634abab32fd28274c18bd57f07", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Emlog is an open source website building system. Prior to version 2.6.8, there is a stored cross-site scripting (XSS) vulnerability in emlog comment module via URI scheme validation bypass. This issue has been patched in version 2.6.8."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-03T22:31:44.971Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34229", "state": "PUBLISHED", "dateUpdated": "2026-04-06T19:02:14.476Z", "dateReserved": "2026-03-26T16:22:29.034Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-03T22:31:44.971Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Emlog is an open source website building system. Prior to version 2.6.8, there is a stored cross-site scripting (XSS) vulnerability in emlog comment module via URI scheme validation bypass. This issue has been patched in version 2.6.8."}], "id": "CVE-2026-34229", "lastModified": "2026-04-07T13:20:55.200", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-03T23:17:04.270", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/emlog/emlog/commit/a12ab1b1a273fe634abab32fd28274c18bd57f07"}, {"source": "security-advisories@github.com", "url": "https://github.com/emlog/emlog/security/advisories/GHSA-74gp-xh6w-hqw6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.6.8)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "emlog", "source": "cna", "vendor": "emlog"}, "product": "emlog", "vendor": "emlog"}], "analysis": {"en": {"generated_at": "2026-04-04T02:52:43.006243+00:00", "value": {"mitigation_remediation": ["Upgrade Emlog to version 2.6.8 or newer", "If upgrading immediately is not feasible, temporarily disable or remove the comment feature to eliminate the attack surface", "Apply server\u2011side input validation or a Content Security Policy to reduce the impact of any remaining XSS vectors"], "summary": {"action": "Patch Now", "impact": "Stored cross\u2011site scripting via the comment module"}, "threat_synthesis": {"affected_systems": "All installations of Emlog older than version 2.6.8 are vulnerable. Administrators should verify the current software version and upgrade to 2.6.8 or newer to eliminate the flaw.", "description_and_impact": "A stored cross\u2011site scripting flaw exists in the comment module of the open\u2011source Emlog content management platform, caused by a bypass in URI scheme validation. When a malicious user submits a comment containing a crafted URI, the JavaScript payload is saved in the database and later rendered into all visitors\u2019 browsers without proper sanitization, allowing the attacker to execute arbitrary code within the victim\u2019s context.", "risk_and_exploitability": "The CVSS score of 6.1 indicates moderate severity. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog, implying it is not a known exploited vulnerability at this time. The likely attack vector is posting a crafted comment; based on the description, it is inferred that no authentication is required for exploitation. Once planted, the payload is executed for every subsequent visitor, so the impact includes theft of session data, defacement, or distribution of malware to site users."}}}}, "created": "2026-04-06T21:22:09.018995+00:00", "updated": "2026-04-06T22:21:46.615245+00:00", "vendors": ["emlog", "emlog$PRODUCT$emlog"]}