Emlog: SQL Injection in tag_model::updateTagName() via unsanitized parameters

Emlog is an open source website building system. In versions 2.6.2 and prior, a SQL injection vulnerability exists in include/model/tag_model.php at line 168. The updateTagName() function directly interpolates user input into the SQL query string without using parameterized queries or proper escaping ($this->db->escape_string()), making it vulnerable to SQL injection attacks. At time of publication, there are no publicly available patches.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

SQL命令中使用的特殊元素转义处理不恰当(SQL注入)

emlog SQL注入漏洞

emlog是emlog开源的一套基于PHP和MySQL的CMS建站系统。 Emlog 2.6.2及之前版本存在SQL注入漏洞，该漏洞源于include/model/tag_model.php中updateTagName函数直接将用户输入插入SQL查询字符串，可能导致SQL注入攻击。

N/A

N/A