Emlog is an open source website building system. In versions 2.5.21 and below, an HTML template injection allows stored cross‑site scripting (XSS) via the mail template settings. Once a malicious payload is saved, any subsequent visit to the settings page in an authenticated admin context will execute attacker‑controlled JavaScript, enabling session/token theft and full admin account takeover. This issue is fixed in version 2.5.22.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/61xxx/CVE-2025-61597.json",
"cwe_ids": [
"CWE-79"
],
"cna_assigner": "GitHub_M"
}{
"cpe": "cpe:2.3:a:emlog:emlog:*:*:*:*:pro:*:*:*",
"source": [
"AFFECTED_FIELD",
"CPE_RANGE"
],
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "2.5.22"
},
{
"last_affected": "2.5.19"
}
]
}