CVE-2026-21430
Published: 02 January 2026
Summary
CVE-2026-21430 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Emlog Emlog. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SC-23 protects the authenticity of communications sessions, directly mitigating CSRF by ensuring state-changing requests like article creation originate from legitimate user sessions.
SI-10 requires validation of information inputs, such as anti-CSRF tokens, preventing the acceptance of forged article creation requests with attacker-controlled content.
SI-2 mandates identification, reporting, and timely remediation of flaws like this unpatched CSRF vulnerability, including interim mitigations such as synchronizer tokens.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF+XSS in public web app directly enables exploitation of public-facing application and browser session hijacking for account takeover.
NVD Description
Emlog is an open source website building system. In version 2.5.23, article creation functionality is vulnerable to cross-site request forgery (CSRF). This can lead to a user being forced to post an article with arbitrary, attacker-controlled content. This, when combined…
more
with stored cross-site scripting, leads to account takeover. As of time of publication, no known patched versions are available.
Deeper analysisAI
CVE-2026-21430 is a cross-site request forgery (CSRF) vulnerability in the article creation functionality of Emlog version 2.5.23, an open source website building system. This flaw, associated with CWE-352 (CSRF) and CWE-79 (XSS), allows an attacker to force an authenticated user to post an article containing arbitrary, attacker-controlled content. When combined with stored cross-site scripting, it enables account takeover. The vulnerability carries a CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N).
The attack requires network access and user interaction but no attacker privileges. An unauthenticated attacker can craft a malicious webpage or link that, when visited by an authenticated Emlog user with article posting permissions (such as an administrator), triggers the CSRF to submit a forged request creating an article with attacker-specified content. If the Emlog instance is susceptible to stored XSS, the injected content executes arbitrary JavaScript in other users' browsers, potentially leading to session hijacking and full account takeover.
The GitHub security advisory (GHSA-2g2w-vmg7-pq4q), published on 2026-01-02, states that no known patched versions of Emlog are available as of that time. Security practitioners should monitor for updates from the Emlog project and implement CSRF protections, such as synchronizer tokens, in the interim.
Details
- CWE(s)