Description

Emlog is an open source website building system. Prior to version 2.6.8, the backend upgrade interface accepts remote SQL and ZIP URLs via GET parameters. The server first downloads and executes the SQL file, then downloads the ZIP file and extracts it directly into the web root directory. This process does not validate a CSRF token. Therefore, an attacker only needs to trick an authenticated administrator into visiting a malicious link to achieve arbitrary SQL execution and arbitrary file write. This issue has been patched in version 2.6.8.

INFO

Published Date :

2026-04-03T22:28:45.911Z

Last Modified :

2026-04-06T13:18:48.484Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-34228 vulnerability.

Vendors Products
Emlog
  • Emlog
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-34228.

URL Resource
https://github.com/emlog/emlog/commit/4c3b8f3486e2c9caafee38a5eedb3cd16f8c8d6f cve-icon cve-icon
https://github.com/emlog/emlog/security/advisories/GHSA-2rcc-jg83-34vp cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability