Description
Emlog is an open source website building system. In 2.6.6 and earlier, the delete_async action (asynchronous delete) lacks a call to LoginAuth::checkToken(), enabling CSRF attacks.
Published: 2026-03-11
Score: 0 Low
EPSS: < 1% Very Low
KEV: No
Impact: Data Loss (Unauthorized Deletion of Media Files)
Action: Immediate Patch
AI Analysis

Impact

Emlog version 2.6.6 and earlier contain a missing CSRF protection check in the delete_async operation, which allows an attacker to trigger the asynchronous media file deletion endpoint without presenting a valid CSRF token. Because the endpoint can be invoked from a victim’s browser session, a malicious user can delete arbitrary media files, thereby compromising the integrity and availability of the site’s content. The weakness is identified as CWE‑352 – Cross‑Site Request Forgery.

Affected Systems

The affected systems are deployments of the open‑source website builder emlog, specifically version 2.6.6 and any earlier release. The Common Platform Enumeration for the vulnerable product is cpe:2.3:a:emlog:emlog:*:*:*:*:pro:*:*:*, indicating the Pro edition of emlog.

Risk and Exploitability

The EPSS score is reported as under 1%, suggesting a low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. Even so, because the flaw relies on a CSRF vector that does not require complex prerequisites, an attacker who can induce a user’s browser to send a request to the delete_async endpoint could delete files without needing administrative credentials. The risk remains significant for sites that rely on the integrity of media assets, and the potential impact warrants immediate attention.

Generated by OpenCVE AI on March 17, 2026 at 22:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify the installed emlog version; any version lower than 2.6.7 is vulnerable.
  • Upgrade to the latest emlog release (≥ 2.6.7) where the delete_async action includes a CSRF token check.
  • If an upgrade cannot be performed immediately, block or restrict POST requests to the delete_async endpoint using web‑application firewall rules or server‑side access controls.
  • Monitor web server logs for anomalous delete_async requests and adjust mitigation measures accordingly.

Generated by OpenCVE AI on March 17, 2026 at 22:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:emlog:emlog:*:*:*:*:pro:*:*:*

Thu, 12 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Emlog
Emlog emlog
Vendors & Products Emlog
Emlog emlog

Wed, 11 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
Description Emlog is an open source website building system. In 2.6.6 and earlier, the delete_async action (asynchronous delete) lacks a call to LoginAuth::checkToken(), enabling CSRF attacks.
Title Emlog asynchronous media file deletion missing CSRF protection
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:N'}

Subscriptions

Emlog Emlog
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-12T20:01:11.679Z

Reserved: 2026-03-10T15:10:10.657Z

Link: CVE-2026-31954

cve-icon Vulnrichment

Updated: 2026-03-12T20:01:08.656Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T20:16:16.280

Modified: 2026-03-17T21:05:16.757

Link: CVE-2026-31954

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:29:19Z

Weaknesses