Description
Emlog is an open source website building system. emlog v2.6.1 and earlier exposes a REST API endpoint (/index.php?rest-api=upload) for media file uploads. The endpoint fails to implement proper validation of file types, extensions, and content, allowing authenticated attackers (with a valid API key or admin session cookie) to upload arbitrary files (including malicious PHP scripts) to the server. An attacker can obtain the API key either by gaining administrator access to enable the REST API setting, or via information disclosure vulnerabilities in the application. Once uploaded, the malicious PHP file can be executed to gain remote code execution (RCE) on the target server, leading to full server compromise.
Published: 2026-01-12
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability allows an attacker who has obtained a valid API key or is authenticated with an admin session cookie to upload any file, including executable PHP scripts, to the server. This lack of file type and content validation can give the attacker control to run arbitrary code on the target system, compromising the entire server.

Affected Systems

emlog, an open‑source website builder, versions 2.6.1 and older are affected because they expose a REST API endpoint for media uploads. The endpoint is accessed via /index.php?rest-api=upload.

Risk and Exploitability

The CVSS score is 9.3, indicating high severity. EPSS is below 1 %, showing a very low documented exploitation rate, and the CVE is not listed in the CISA KEV catalog. The attack requires legitimate authentication, which can be obtained by gaining admin access or exploiting information‑disclosure flaws. Once an attacker uploads a malicious PHP file, it can be executed by accessing the file via the web server, granting remote code execution.

Generated by OpenCVE AI on April 18, 2026 at 06:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest upstream patch or upgrade to emlog version 2.6.2 or higher where the REST API file‑type validation is fixed.
  • If an upgrade is not possible, restrict the upload endpoint to accept only image files (e.g., jpg, png, gif) and perform MIME type and content inspection before saving, rejecting any file that does not match the allowed criteria.
  • Disable or remove the REST API upload route entirely if it is not needed, and revoke all existing API keys.

Generated by OpenCVE AI on April 18, 2026 at 06:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 21 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:emlog:emlog:*:*:*:*:pro:*:*:*
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Tue, 13 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 13 Jan 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Emlog
Emlog emlog
Vendors & Products Emlog
Emlog emlog

Mon, 12 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Description Emlog is an open source website building system. emlog v2.6.1 and earlier exposes a REST API endpoint (/index.php?rest-api=upload) for media file uploads. The endpoint fails to implement proper validation of file types, extensions, and content, allowing authenticated attackers (with a valid API key or admin session cookie) to upload arbitrary files (including malicious PHP scripts) to the server. An attacker can obtain the API key either by gaining administrator access to enable the REST API setting, or via information disclosure vulnerabilities in the application. Once uploaded, the malicious PHP file can be executed to gain remote code execution (RCE) on the target server, leading to full server compromise.
Title emlog Arbitrary File Upload Vulnerability
Weaknesses CWE-434
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Emlog Emlog
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-13T19:08:11.094Z

Reserved: 2026-01-09T22:50:10.287Z

Link: CVE-2026-22799

cve-icon Vulnrichment

Updated: 2026-01-13T14:14:16.453Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-12T22:16:08.930

Modified: 2026-01-21T19:13:49.570

Link: CVE-2026-22799

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T07:00:11Z

Weaknesses