CVE-2026-34788
Emlog: SQL Injection in tag_model::updateTagName() via unsanitized parameters
CVSS Score
6.5
EPSS Score
0.0%
EPSS Percentile
6th
Emlog is an open source website building system. In versions 2.6.2 and prior, a SQL injection vulnerability exists in include/model/tag_model.php at line 168. The updateTagName() function directly interpolates user input into the SQL query string without using parameterized queries or proper escaping ($this->db->escape_string()), making it vulnerable to SQL injection attacks. At time of publication, there are no publicly available patches.
| CWE | CWE-89 |
| Vendor | emlog |
| Product | emlog |
| Published | Apr 3, 2026 |
| Last Updated | Apr 6, 2026 |
Stay Ahead of the Next One
Get instant alerts for emlog emlog
Be the first to know when new medium vulnerabilities affecting emlog emlog are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
Affected Versions
emlog / emlog
<= 2.6.2