CVE-2026-34228
HIGHCVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2Tags
Description
Emlog is an open source website building system. Prior to version 2.6.8, the backend upgrade interface accepts remote SQL and ZIP URLs via GET parameters. The server first downloads and executes the SQL file, then downloads the ZIP file and extracts it directly into the web root directory. This process does not validate a CSRF token. Therefore, an attacker only needs to trick an authenticated administrator into visiting a malicious link to achieve arbitrary SQL execution and arbitrary file write. This issue has been patched in version 2.6.8.
Analysis
Cross-Site Request Forgery (CSRF) in Emlog CMS versions prior to 2.6.8 enables remote attackers to execute arbitrary SQL commands and write arbitrary files to the web root without authentication. The vulnerability exploits an unprotected backend upgrade interface that accepts remote SQL and ZIP URLs via GET parameters, requiring only that an authenticated administrator visit a malicious link. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: identify all Emlog CMS deployments and document current versions; immediately restrict backend upgrade interface access via firewall or reverse proxy rules. Within 7 days: upgrade all Emlog installations to version 2.6.8 or later; if upgrade is not feasible, implement SameSite cookie attributes (SameSite=Strict) and CSRF token validation at the web application firewall level. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today