CVE-2026-34607
Emlog: Path Traversal in emUnZip() allows arbitrary file write leading to RCE
CVSS Score
7.2
EPSS Score
0.3%
EPSS Percentile
52th
Emlog is an open source website building system. In versions 2.6.2 and prior, a path traversal vulnerability exists in the emUnZip() function (include/lib/common.php:793). When extracting ZIP archives (plugin/template uploads, backup imports), the function calls $zip->extractTo($path) without sanitizing ZIP entry names. An authenticated admin can upload a crafted ZIP containing entries with ../ sequences to write arbitrary files to the server filesystem, including PHP webshells, achieving Remote Code Execution (RCE). At time of publication, there are no publicly available patches.
| CWE | CWE-22 |
| Vendor | emlog |
| Product | emlog |
| Published | Apr 3, 2026 |
| Last Updated | Apr 6, 2026 |
Stay Ahead of the Next One
Get instant alerts for emlog emlog
Be the first to know when new high vulnerabilities affecting emlog emlog are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Affected Versions
emlog / emlog
<= 2.6.2