Description
Emlog is an open source website building system. In versions 2.6.2 and prior, a Local File Inclusion (LFI) vulnerability exists in admin/plugin.php at line 80. The $plugin parameter from the GET request is directly used in a require_once path without proper sanitization. If the CSRF token check can be bypassed (see potential bypass conditions), an attacker can include arbitrary PHP files from the server filesystem, leading to code execution. At time of publication, there are no publicly available patches.
Published: 2026-04-03
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution
Action: Monitor
AI Analysis

Impact

The vulnerability is a local file inclusion flaw in the emlog admin plugin endpoint, where the plugin parameter is used directly in a require_once call without sanitization. This allows an attacker to load arbitrary PHP files from the server if they can bypass the CSRF token check, resulting in execution of arbitrary server‑side code and compromising confidentiality, integrity, and availability of the system.

Affected Systems

The affected product is emlog, versions 2.6.2 and earlier, particularly the admin/plugin.php file in the pro edition.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% and absence from the KEV catalog suggest low likelihood of widespread exploitation. The flaw requires successful CSRF token bypass, which may limit the practicality of attacks. Nevertheless, local file inclusion combined with code execution makes it a significant risk if the token check can be avoided.

Generated by OpenCVE AI on April 13, 2026 at 18:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade emlog to a version later than 2.6.2 when it becomes available.
  • If upgrade is not possible, remove or disable the admin/plugin.php endpoint until a fix is released.
  • Enforce stricter CSRF token validation or eliminate the vulnerable parameter from the URL.
  • Limit PHP file inclusion by setting safe_mode or using an allowlist of plugins.
  • Monitor server logs for unusual require_once calls or admin activity that may indicate exploitation attempts.

Generated by OpenCVE AI on April 13, 2026 at 18:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:emlog:emlog:*:*:*:*:pro:*:*:*

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Emlog
Emlog emlog
Vendors & Products Emlog
Emlog emlog

Mon, 06 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
Description Emlog is an open source website building system. In versions 2.6.2 and prior, a Local File Inclusion (LFI) vulnerability exists in admin/plugin.php at line 80. The $plugin parameter from the GET request is directly used in a require_once path without proper sanitization. If the CSRF token check can be bypassed (see potential bypass conditions), an attacker can include arbitrary PHP files from the server filesystem, leading to code execution. At time of publication, there are no publicly available patches.
Title Emlog: Local File Inclusion in plugin.php via unsanitized plugin parameter
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Emlog Emlog
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-06T13:17:52.939Z

Reserved: 2026-03-30T19:54:55.556Z

Link: CVE-2026-34787

cve-icon Vulnrichment

Updated: 2026-04-06T13:17:48.213Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-03T23:17:04.757

Modified: 2026-04-13T17:32:52.333

Link: CVE-2026-34787

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:41:35Z

Weaknesses