CVE-2025-47784 | THREATINT

Description

Emlog is an open source website building system. Versions 2.5.13 and prior have a deserialization vulnerability. A user who creates a carefully crafted nickname can cause `str_replace` to replace the value of `name_orig` with empty, causing deserialization to fail and return `false`. Commit 9643250802188b791419e3c2188577073256a8a2 fixes the issue.

PUBLISHED Reserved 2025-05-09 | Published 2025-05-15 | Updated 2025-05-16 | Assigner GitHub_M

MEDIUM: 6.6CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U

Problem types

CWE-502: Deserialization of Untrusted Data

Product status

<= 2.5.13

affected

References

github.com/.../emlog/security/advisories/GHSA-f56g-m99v-mqc3

github.com/...ommit/9643250802188b791419e3c2188577073256a8a2

cve.org (CVE-2025-47784)

nvd.nist.gov (CVE-2025-47784)

Download JSON