{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34788", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T19:54:55.556Z", "datePublished": "2026-04-03T22:37:08.658Z", "dateUpdated": "2026-04-06T19:03:54.134Z"}, "containers": {"cna": {"title": "Emlog: SQL Injection in tag_model::updateTagName() via unsanitized parameters", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/emlog/emlog/security/advisories/GHSA-32mg-33qq-p3gf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/emlog/emlog/security/advisories/GHSA-32mg-33qq-p3gf"}], "affected": [{"vendor": "emlog", "product": "emlog", "versions": [{"version": "<= 2.6.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-03T22:37:08.658Z"}, "descriptions": [{"lang": "en", "value": "Emlog is an open source website building system. In versions 2.6.2 and prior, a SQL injection vulnerability exists in include/model/tag_model.php at line 168. The updateTagName() function directly interpolates user input into the SQL query string without using parameterized queries or proper escaping ($this->db->escape_string()), making it vulnerable to SQL injection attacks. At time of publication, there are no publicly available patches."}], "source": {"advisory": "GHSA-32mg-33qq-p3gf", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-06T19:03:43.719671Z", "id": "CVE-2026-34788", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T19:03:54.134Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34788", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-06T19:03:43.719671Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T19:03:49.760Z"}}], "cna": {"title": "Emlog: SQL Injection in tag_model::updateTagName() via unsanitized parameters", "source": {"advisory": "GHSA-32mg-33qq-p3gf", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "emlog", "product": "emlog", "versions": [{"status": "affected", "version": "<= 2.6.2"}]}], "references": [{"url": "https://github.com/emlog/emlog/security/advisories/GHSA-32mg-33qq-p3gf", "name": "https://github.com/emlog/emlog/security/advisories/GHSA-32mg-33qq-p3gf", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Emlog is an open source website building system. In versions 2.6.2 and prior, a SQL injection vulnerability exists in include/model/tag_model.php at line 168. The updateTagName() function directly interpolates user input into the SQL query string without using parameterized queries or proper escaping ($this->db->escape_string()), making it vulnerable to SQL injection attacks. At time of publication, there are no publicly available patches."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-03T22:37:08.658Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34788", "state": "PUBLISHED", "dateUpdated": "2026-04-06T19:03:54.134Z", "dateReserved": "2026-03-30T19:54:55.556Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-03T22:37:08.658Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Emlog is an open source website building system. In versions 2.6.2 and prior, a SQL injection vulnerability exists in include/model/tag_model.php at line 168. The updateTagName() function directly interpolates user input into the SQL query string without using parameterized queries or proper escaping ($this->db->escape_string()), making it vulnerable to SQL injection attacks. At time of publication, there are no publicly available patches."}], "id": "CVE-2026-34788", "lastModified": "2026-04-07T13:20:55.200", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-03T23:17:05.063", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/emlog/emlog/security/advisories/GHSA-32mg-33qq-p3gf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.6.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "emlog", "source": "cna", "vendor": "emlog"}, "product": "emlog", "vendor": "emlog"}], "analysis": {"en": {"generated_at": "2026-04-04T01:22:55.794883+00:00", "value": {"mitigation_remediation": ["Check for any available vendor update that addresses the SQL injection; if none exist, upgrade to a version later than 2.6.2 once released.", "If no patch is available, temporarily disable or protect the updateTagName functionality by restricting access to trusted administrators only or by removing the endpoint entirely.", "Modify the code to use parameterized queries or proper escaping functions rather than directly interpolating user input into SQL strings.", "Monitor application logs for suspicious activity and review database integrity after applying any mitigation."], "summary": {"action": "Apply Workaround", "impact": "Arbitrary SQL query execution"}, "threat_synthesis": {"affected_systems": "The issue affects the open\u2011source website builder Emlog, specifically all releases up to and including version 2.6.2. Any deployment using those versions could be exposed, regardless of hosting environment, as the vulnerability resides in the core application code.", "description_and_impact": "A flaw in the tag_model::updateTagName() function of Emlog allows an attacker to inject arbitrary SQL through unsanitized parameters. The code directly interpolates user input into an SQL statement without using prepared statements or proper escaping, creating a classic SQL Injection risk. Successful exploitation could let a malicious user read, modify, or delete database contents, compromising the confidentiality, integrity, and availability of the website content. This weakness is identified as CWE\u201189.", "risk_and_exploitability": "The CVSS score of 6.5 indicates moderate severity, and the vulnerability is likely exploitable via a web request to the tag update endpoint. Although EPSS data is unavailable and the issue is not listed in CISA\u2019s KEV catalog, the absence of a public patch makes the risk immediate for unpatched systems. An attacker with the ability to submit data to the vulnerable function can craft input that causes arbitrary SQL statements to execute, potentially gaining full database access."}}}}, "created": "2026-04-06T21:22:05.699089+00:00", "updated": "2026-04-06T22:21:43.691797+00:00", "vendors": ["emlog", "emlog$PRODUCT$emlog"]}