CVE-2026-34787

Emlog is an open source website building system. In versions 2.6.2 and prior, a Local File Inclusion (LFI) vulnerability exists in admin/plugin.php at line 80. The $plugin parameter from the GET request is directly used in a require_once path without proper sanitization. If the CSRF token check can be bypassed (see potential bypass conditions), an attacker can include arbitrary PHP files from the server filesystem, leading to code execution. At time of publication, there are no publicly available patches.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.2 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/emlog/emlog/security/advisories/GHSA-7mvq-qj5x-5phm	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:emlog:emlog:*:*:*:*:pro:*:*:*

History

13 Apr 2026, 17:32

Type	Values Removed	Values Added
First Time		Emlog emlog Emlog
CPE		cpe:2.3:a:emlog:emlog:::::pro:::*
References	~~() https://github.com/emlog/emlog/security/advisories/GHSA-7mvq-qj5x-5phm -~~	() https://github.com/emlog/emlog/security/advisories/GHSA-7mvq-qj5x-5phm - Exploit, Vendor Advisory

03 Apr 2026, 23:17

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-03 23:17

Updated : 2026-04-13 17:32

NVD link : CVE-2026-34787

Mitre link : CVE-2026-34787

CVE.ORG link : CVE-2026-34787

JSON object : View

Products Affected

emlog

emlog

CWE

CWE-98

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

{"id": "CVE-2026-34787", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 1.2}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 1.2}]}, "published": "2026-04-03T23:17:04.757", "references": [{"url": "https://github.com/emlog/emlog/security/advisories/GHSA-7mvq-qj5x-5phm", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-98"}]}], "descriptions": [{"lang": "en", "value": "Emlog is an open source website building system. In versions 2.6.2 and prior, a Local File Inclusion (LFI) vulnerability exists in admin/plugin.php at line 80. The $plugin parameter from the GET request is directly used in a require_once path without proper sanitization. If the CSRF token check can be bypassed (see potential bypass conditions), an attacker can include arbitrary PHP files from the server filesystem, leading to code execution. At time of publication, there are no publicly available patches."}], "lastModified": "2026-04-13T17:32:52.333", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:emlog:emlog:*:*:*:*:pro:*:*:*", "vulnerable": true, "matchCriteriaId": "87AE63DC-4F2B-44E3-8865-B6166722A5D6", "versionEndIncluding": "2.6.2"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}