Description
Emlog is an open source website building system. Prior to version 2.6.11, insecure plugin upload functionality allows attackers to upload and execute arbitrary PHP code, leading to complete server compromise and persistent backdoor installation. This issue has been patched in version 2.6.11.
Published: 2026-05-08
Score: 0 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an insecure plugin upload feature that permits attackers to upload and execute arbitrary PHP code, allowing complete compromise of the affected web server. This leads to remote code execution, unauthorized modification of site content, and persistent backdoor installation. The weakness arises from insufficient validation of uploaded file types, classified as CWE‑434. Successful exploitation results in full system control by the attacker. The flaw directly compromises confidentiality, integrity, and availability of the server hosting the site.

Affected Systems

emlog website building system is affected. All installations of emlog version 2.6.10 or earlier are vulnerable. The vulnerability exists in the plugin upload component of emlog prior to the release of version 2.6.11.

Risk and Exploitability

The issue is a true remote code execution flaw that can be exploited by uploading a deliberately crafted plugin. An attacker must first access the plugin upload interface, which is typically restricted to site administrators. The EPSS score is not available, but the lack of file type restrictions and the ability to run arbitrary code indicate a high likelihood of exploitation. The flaw is not listed in the CISA KEV catalog; however, the potential impact warrants urgent remediation.

Generated by OpenCVE AI on May 8, 2026 at 23:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade emlog to version 2.6.11 or later.
  • Remove any previously uploaded malicious or unverified plugins from the server.
  • Disable the plugin upload function or restrict it to trusted users until the update is applied.

Generated by OpenCVE AI on May 8, 2026 at 23:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Emlog
Emlog emlog
Vendors & Products Emlog
Emlog emlog

Fri, 08 May 2026 22:00:00 +0000

Type Values Removed Values Added
Description Emlog is an open source website building system. Prior to version 2.6.11, insecure plugin upload functionality allows attackers to upload and execute arbitrary PHP code, leading to complete server compromise and persistent backdoor installation. This issue has been patched in version 2.6.11.
Title Emlog: Remote Code Execution via Malicious Plugin Upload
Weaknesses CWE-434
References
Metrics cvssV4_0

{'score': 0, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Emlog Emlog
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T21:50:27.441Z

Reserved: 2026-04-20T18:18:50.682Z

Link: CVE-2026-41517

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T22:16:30.340

Modified: 2026-05-08T22:16:30.340

Link: CVE-2026-41517

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T23:30:15Z

Weaknesses