CVE-2025-61597 HIGH

CVE-2025-61597: Emlog Pro is vulnerable to stored XSS attack through HTML template injection

Vendor Emlog
Product emlog
Weakness CWE-79 · XSS
Published October 3, 2025
Last update October 3, 2025

CVSS base score

7.6/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L

What the vulnerability does

01Description

Emlog is an open source website building system. In versions 2.5.21 and below, an HTML template injection allows stored cross‑site scripting (XSS) via the mail template settings. Once a malicious payload is saved, any subsequent visit to the settings page in an authenticated admin context will execute attacker‑controlled JavaScript, enabling session/token theft and full admin account takeover. This issue is fixed in version 2.5.22.

Key dates

02Disclosure timeline

October 3, 2025 CVE published
October 3, 2025 Record updated