Description
Emlog is an open source website building system. In versions 2.6.2 and prior, a path traversal vulnerability exists in the emUnZip() function (include/lib/common.php:793). When extracting ZIP archives (plugin/template uploads, backup imports), the function calls $zip->extractTo($path) without sanitizing ZIP entry names. An authenticated admin can upload a crafted ZIP containing entries with ../ sequences to write arbitrary files to the server filesystem, including PHP webshells, achieving Remote Code Execution (RCE). At time of publication, there are no publicly available patches.
Published: 2026-04-03
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution via arbitrary file write
Action: Apply patch
AI Analysis

Impact

A path traversal flaw exists in the emUnZip() routine of the Emlog website builder, specifically in versions 2.6.2 and earlier. When an authenticated site administrator uploads a ZIP archive—through plugin, template, or backup import—the function extracts files without sanitizing the entry names. Entries containing "../" sequences can be written to arbitrary locations in the server filesystem, allowing placement of PHP webshells and ultimately permitting remote code execution. The weakness corresponds to a classic directory traversal issue (CWE‑22).

Affected Systems

The vulnerability affects the Emlog web‑site system, version 2.6.2 and earlier, within the common.php component that implements ZIP extraction for admin‑initiated uploads.

Risk and Exploitability

The CVSS score of 7.2 indicates moderate‑to‑high severity, and the EPSS score is reported below 1 %, suggesting low publicly observable exploitation frequency. The vulnerability is not catalogued in the CISA KEV list. Attackers must first authenticate as an administrator, but once they have that privilege, the attack path—uploading a crafted ZIP file—is straightforward and requires no additional conditions. Given the nature of the flaw, exploitation would grant full control over the host filesystem from the perspective of the web application.

Generated by OpenCVE AI on April 13, 2026 at 18:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check for an official patch from Emlog and install it immediately if available.
  • If a patch is not available, block or refuse ZIP file uploads from users with administrative privileges until remediation.
  • Limit filesystem write permissions to only the directories required for CMS operation.
  • Monitor the server for unexpected file creations or modifications, especially within web‑root directories.
  • Implement a web‑application firewall rule that rejects or logs attempts to write files outside the intended upload area.

Generated by OpenCVE AI on April 13, 2026 at 18:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:emlog:emlog:*:*:*:*:pro:*:*:*

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Emlog
Emlog emlog
Vendors & Products Emlog
Emlog emlog

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
Description Emlog is an open source website building system. In versions 2.6.2 and prior, a path traversal vulnerability exists in the emUnZip() function (include/lib/common.php:793). When extracting ZIP archives (plugin/template uploads, backup imports), the function calls $zip->extractTo($path) without sanitizing ZIP entry names. An authenticated admin can upload a crafted ZIP containing entries with ../ sequences to write arbitrary files to the server filesystem, including PHP webshells, achieving Remote Code Execution (RCE). At time of publication, there are no publicly available patches.
Title Emlog: Path Traversal in emUnZip() allows arbitrary file write leading to RCE
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Emlog Emlog
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-06T15:42:13.270Z

Reserved: 2026-03-30T17:15:52.500Z

Link: CVE-2026-34607

cve-icon Vulnrichment

Updated: 2026-04-06T15:37:02.381Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-03T23:17:04.423

Modified: 2026-04-13T17:37:26.993

Link: CVE-2026-34607

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:41:36Z

Weaknesses