Description
Emlog is an open source website building system. Prior to version 2.6.11, missing CSRF protection in critical admin functions allows attackers to trick authenticated administrators into performing unauthorized actions like system registration, plugin management, and configuration changes. This issue has been patched in version 2.6.11.
Published: 2026-05-08
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Emlog versions before 2.6.11 lack CSRF protection in key administrative interfaces, permitting a malicious actor to deceive an authenticated administrator into executing privileged operations such as system registration, plugin installation or modification, and configuration changes. This flaw enables an attacker to alter the website’s behavior or introduce malicious code without the administrator’s consent, thereby compromising the confidentiality, integrity, or availability of the site.

Affected Systems

The affected platform is the open‑source Emlog website builder, with any installation running a version earlier than 2.6.11 vulnerable. The vulnerability is specifically tied to the administrator functions within the system, and is present in all releases prior to the patched 2.6.11 checkout.

Risk and Exploitability

The CVSS score of 8.4 categorizes this issue as high severity. While an EPSS score is not available, the lack of an exploit listing in the CISA KEV catalog suggests no known large‑scale exploitation yet. The likely attack vector is a crafted HTTP request that the victim’s browser submits automatically, requiring the attacker only to entice the administrator into visiting a malicious site or clicking a link. Successful exploitation would grant the attacker any capabilities the compromised administrator possesses, until the patch is applied.

Generated by OpenCVE AI on May 9, 2026 at 00:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Emlog to version 2.6.11 or newer to restore CSRF protection on all administrative actions.
  • Remove or disable unused administrator accounts and enforce strong passwords on all authorized accounts.
  • Limit access to the administrative interface by IP address, VPN, or additional authentication until the patch is applied.
  • Monitor administrative logs for suspicious activity and audit admin actions to detect any unauthorized changes.

Generated by OpenCVE AI on May 9, 2026 at 00:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Emlog
Emlog emlog
Vendors & Products Emlog
Emlog emlog

Fri, 08 May 2026 22:00:00 +0000

Type Values Removed Values Added
Description Emlog is an open source website building system. Prior to version 2.6.11, missing CSRF protection in critical admin functions allows attackers to trick authenticated administrators into performing unauthorized actions like system registration, plugin management, and configuration changes. This issue has been patched in version 2.6.11.
Title Emlog: Cross-Site Request Forgery in Admin Functions
Weaknesses CWE-352
References
Metrics cvssV4_0

{'score': 8.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:H/VA:L/SC:H/SI:L/SA:L'}

Subscriptions

Emlog Emlog
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T21:51:11.862Z

Reserved: 2026-04-26T12:13:55.551Z

Link: CVE-2026-42286

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T22:16:32.910

Modified: 2026-05-08T22:16:32.910

Link: CVE-2026-42286

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T00:30:21Z

Weaknesses