CVE-2026-46686 in Emlog
Summary
by MITRE • 07/16/2026
Emlog is an open source website building system. In 2.6.13 and earlier, the admin backend user search module's keyword parameter from admin/user.php is processed with addslashes but not HTML-escaped before being rendered into the value attribute in admin/views/user.php, allowing reflected cross-site scripting in an administrator's backend session. No fixed version is currently identified.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/16/2026
This vulnerability exists within Emlog's administrative backend where the user search functionality fails to properly sanitize input parameters before rendering them in HTML output contexts. The flaw occurs in the admin/user.php file where the keyword parameter undergoes addslashes processing but lacks proper HTML escaping before being injected into the value attribute of an HTML input element within admin/views/user.php. This creates a reflected cross-site scripting condition that specifically targets administrator sessions, making it particularly dangerous as it can be exploited to hijack administrative privileges.
The technical implementation of this vulnerability stems from improper input validation and output encoding practices. While addslashes provides some protection against SQL injection by escaping single quotes and backslashes, it does not address HTML context rendering concerns. When the keyword parameter is reflected back into the HTML value attribute without proper HTML entity encoding, malicious payloads can be injected and executed within the administrator's browser context. This violates fundamental security principles of input sanitization and output encoding that should occur at each layer of data processing.
The operational impact of this vulnerability is severe as it enables attackers to execute arbitrary JavaScript code within the administrative session of any logged-in administrator. This could allow threat actors to perform actions such as creating new admin users, modifying existing user permissions, accessing sensitive system information, or even uploading malicious files through the compromised administrative interface. The reflected nature of the XSS means that exploitation requires only a single interaction with a crafted URL containing the malicious payload, making it highly effective for targeted attacks against administrators.
This vulnerability maps to CWE-79 - Cross-site Scripting and specifically aligns with ATT&CK technique T1566.001 - Phishing via Social Media where attackers could use this XSS to compromise administrative credentials or system access. The weakness exists in the application's failure to properly encode data for HTML contexts, representing a classic output encoding flaw that has been consistently identified as a critical security risk across various web applications. Organizations using Emlog versions 2.6.13 or earlier should immediately implement temporary mitigations such as input validation at the application level and consider restricting administrative access through network segmentation until a permanent fix is available.
The attack vector requires an administrator to visit a malicious URL containing the XSS payload, which could be delivered through social engineering campaigns or compromised websites. The vulnerability's exploitation is particularly concerning because it targets privileged sessions, potentially allowing full system compromise. Security teams should monitor for unusual administrative activities and implement content security policies as additional protective measures while awaiting official patches from the Emlog development team.