CVE-2026-21433
Published: 02 January 2026
Summary
CVE-2026-21433 is a high-severity SSRF (CWE-918) vulnerability in Emlog Emlog. Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Validates and sanitizes uploaded SVG files to block or strip external resource references that trigger SSRF during server-side processing like thumbnailing or previewing.
Provides timely flaw remediation for the SSRF vulnerability in SVG handling via patches, updates, or compensating controls in Emlog versions up to 2.5.19.
Enforces boundary protections such as web application firewalls or network ACLs to block unauthorized outbound HTTP requests from the server during SVG processing.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in public-facing Emlog web app (via SVG upload/processing) directly enables remote exploitation of the application per T1190.
NVD Description
Emlog is an open source website building system. Versions up to and including 2.5.19 are vulnerable to server-side Out-of-Band (OOB) requests / SSRF via uploaded SVG files. An attacker can upload a crafted SVG to http[:]//emblog/admin/media[.]php which contains external resource…
more
references. When the server processes/renders the SVG (thumbnailing, preview, or sanitization), it issues an HTTP request to the attacker-controlled host. Impact: server-side SSRF/OOB leading to internal network probing and potential metadata/credential exposure. As of time of publication, no known patched versions are available.
Deeper analysisAI
CVE-2026-21433 is a server-side Out-of-Band (OOB) request and Server-Side Request Forgery (SSRF) vulnerability in Emlog, an open source website building system. Versions up to and including 2.5.19 are affected, specifically through the handling of uploaded SVG files via the /admin/media.php endpoint. An attacker can upload a crafted SVG containing external resource references, and when the server processes or renders the file—such as during thumbnailing, previewing, or sanitization—it issues an HTTP request to the attacker's controlled host. The vulnerability is rated 7.7 on the CVSS 3.1 scale (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N) and maps to CWE-918 (Server-Side Request Forgery).
Exploitation requires low privileges (PR:L), typically an authenticated user with upload capabilities, allowing network-accessible (AV:N) attacks with low complexity (AC:L) and no user interaction (UI:N). Successful exploitation enables server-side SSRF/OOB interactions, permitting the attacker to probe internal networks and potentially expose metadata or credentials from the server's perspective. The changed scope (S:C) amplifies the confidentiality impact (C:H) by leveraging the server's higher privileges to access resources otherwise unreachable.
The primary advisory, published on GitHub at https://github.com/emlog/emlog/security/advisories/GHSA-6rwr-c8hc-mjj4, confirms the issue and notes that as of the publication date (2026-01-02), no patched versions of Emlog are available, leaving affected installations without official mitigations.
Details
- CWE(s)