CRITICAL🇵🇱 Wersja polska

CVE-2026-42287

CVSS 10.0v4.0pub. 2026-05-08upd. 2026-05-12

Emlog is an open source website building system. Prior to version 2.6.11, direct SQL injection in article creation and update functions allows attackers to execute arbitrary SQL commands, potentially leading to complete database compromise, data theft, or system destruction. This issue has been patched in version 2.6.11.

🤖 AI Analysis
How it works

The vulnerability consists of direct SQL command injection (SQL injection, CWE-89) through input data passed to article creation and update functions in the Emlog system. An attacker can craft a malicious query that will be executed directly by the database engine without proper validation or parameterization of input data. The attack is possible remotely, without authentication and without any user interaction.

Impact

An attacker can gain full control over the database — read, modify or delete stored data, which can lead to data theft, system destruction or complete compromise of the service's integrity.

Mitigation & patch

Emlog must be updated immediately to version 2.6.11 or newer, in which the vulnerability has been patched. Details available in vendor references: https://github.com/emlog/emlog/security/advisories/GHSA-xxj8-fc63-j3gw

Who is affected

Emlog versions prior to 2.6.11 (open source website building system).

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
SQLi
CWE
References