Emlog is an open source website building system. In versions 2.6.2 and prior, a path traversal vulnerability exists in the emUnZip() function (include/lib/common.php:793). When extracting ZIP archives (plugin/template uploads, backup imports), the function calls $zip->extractTo($path) without sanitizing ZIP entry names. An authenticated admin can upload a crafted ZIP containing entries with ../ sequences to write arbitrary files to the server filesystem, including PHP webshells, achieving Remote Code Execution (RCE). At time of publication, there are no publicly available patches.
References
| Link | Resource |
|---|---|
| https://github.com/emlog/emlog/security/advisories/GHSA-2jg8-rmhm-xv9m | Exploit Vendor Advisory |
| https://github.com/emlog/emlog/security/advisories/GHSA-2jg8-rmhm-xv9m | Exploit Vendor Advisory |
Configurations
History
13 Apr 2026, 17:37
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Emlog emlog
Emlog |
|
| References | () https://github.com/emlog/emlog/security/advisories/GHSA-2jg8-rmhm-xv9m - Exploit, Vendor Advisory | |
| CPE | cpe:2.3:a:emlog:emlog:*:*:*:*:pro:*:*:* |
06 Apr 2026, 16:16
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/emlog/emlog/security/advisories/GHSA-2jg8-rmhm-xv9m - |
03 Apr 2026, 23:17
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-04-03 23:17
Updated : 2026-04-13 17:37
NVD link : CVE-2026-34607
Mitre link : CVE-2026-34607
CVE.ORG link : CVE-2026-34607
JSON object : View
Products Affected
emlog
- emlog
CWE
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')