Description
Emlog is an open source website building system. Prior to version 2.6.8, the backend upgrade interface accepts remote SQL and ZIP URLs via GET parameters. The server first downloads and executes the SQL file, then downloads the ZIP file and extracts it directly into the web root directory. This process does not validate a CSRF token. Therefore, an attacker only needs to trick an authenticated administrator into visiting a malicious link to achieve arbitrary SQL execution and arbitrary file write. This issue has been patched in version 2.6.8.
Published: 2026-04-03
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary SQL execution and file write
Action: Immediate Patch
AI Analysis

Impact

Emlog, an open source website building system, contains a cross‑site request forgery flaw in its backend upgrade interface that allows an attacker to supply arbitrary SQL and ZIP URLs via GET parameters. Because the interface does not validate a CSRF token, the server blindly downloads and runs the SQL file and extracts the ZIP file directly into the web root directory. This results in the ability to execute arbitrary SQL statements and write unwarranted files to the site’s file system, which can be leveraged by an authenticated administrator who is tricked into visiting a malicious link.

Affected Systems

The vulnerability affects all installed instances of emlog CMS running any version earlier than 2.6.8. No other vendors or products are listed as affected by this flaw.

Risk and Exploitability

The CVSS score of 8.7 classifies the flaw as high severity, while an EPSS score of less than 1 percent indicates that exploitation activity is currently low. The flaw is not included in the CISA KEV catalog. Exploitation requires an authenticated administrator to click a crafted link that triggers the vulnerable backend upgrade process, making CSRF the most likely attack vector. Because the potential impact is significant, the overall risk remains substantial despite the low current probability of exploitation.

Generated by OpenCVE AI on April 13, 2026 at 18:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch for emlog version 2.6.8 or later
  • If a patch cannot be applied immediately, restrict or disable the backend upgrade interface for all users
  • Ensure the upgrade interface validates a CSRF token before processing any parameters
  • Lock down the web root to prevent unauthorized file writes by reviewing permissions and removing write access where possible
  • Monitor administrator activity for unexpected SQL execution or file modifications and investigate promptly

Generated by OpenCVE AI on April 13, 2026 at 18:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:emlog:emlog:*:*:*:*:pro:*:*:*
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Emlog
Emlog emlog
Vendors & Products Emlog
Emlog emlog

Mon, 06 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
Description Emlog is an open source website building system. Prior to version 2.6.8, the backend upgrade interface accepts remote SQL and ZIP URLs via GET parameters. The server first downloads and executes the SQL file, then downloads the ZIP file and extracts it directly into the web root directory. This process does not validate a CSRF token. Therefore, an attacker only needs to trick an authenticated administrator into visiting a malicious link to achieve arbitrary SQL execution and arbitrary file write. This issue has been patched in version 2.6.8.
Title Emlog: CSRF in Backend Upgrade Interface Leading to Arbitrary Remote SQL Execution and Arbitrary File Write
Weaknesses CWE-352
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Emlog Emlog
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-06T13:18:48.484Z

Reserved: 2026-03-26T16:22:29.033Z

Link: CVE-2026-34228

cve-icon Vulnrichment

Updated: 2026-04-06T13:18:39.408Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-03T23:17:04.100

Modified: 2026-04-13T17:38:32.883

Link: CVE-2026-34228

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:41:38Z

Weaknesses