CVE-2026-34788 MEDIUM

CVE-2026-34788: Emlog: SQL Injection in tag_model::updateTagName() via unsanitized parameters

Vendor Emlog

Product emlog

Weakness CWE-89 · SQLi

Published April 3, 2026

Last update April 6, 2026

View on NVD All CVEs

CVSS base score

6.5/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

Emlog is an open source website building system. In versions 2.6.2 and prior, a SQL injection vulnerability exists in include/model/tag_model.php at line 168. The updateTagName() function directly interpolates user input into the SQL query string without using parameterized queries or proper escaping ($this->db->escape_string()), making it vulnerable to SQL injection attacks. At time of publication, there are no publicly available patches.

Key dates

02Disclosure timeline

April 3, 2026 CVE published

April 6, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-34788 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/89.html

Related vulnerabilities

CVE-2026-34788: Emlog: SQL Injection in tag_model::updateTagName() via unsanitized parameters

01Description

02Disclosure timeline

03References

04Related CVE