CVE-2026-34228

216.73.217.22

· Published 03/04/2026 23:17 · Modified 03/04/2026 23:17

Labels: CVE-2026-34228 2026-04-03 CVE-2026-34228 CWE-352 [email protected]

Essential information

Published: 03/04/2026 23:17
Modified: 03/04/2026 23:17
Author: —
Creator: —
CVSS: 8.7 HIGH (v3) 8.7 HIGH (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

Emlog is an open source website building system. Prior to version 2.6.8, the backend upgrade interface accepts remote SQL and ZIP URLs via GET parameters. The server first downloads and executes the SQL file, then downloads the ZIP file and extracts it directly into the web root directory. This process does not validate a CSRF token. Therefore, an attacker only needs to trick an authenticated administrator into visiting a malicious link to achieve arbitrary SQL execution and arbitrary file write. This issue has been patched in version 2.6.8.

NVD status

Status: Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
emlog / emlog	`cpe:2.3:a:emlog:emlog:<2.6.8:::::::*`