Vulnerability Description
Emlog is an open source website building system. Prior to version 2.6.8, the backend upgrade interface accepts remote SQL and ZIP URLs via GET parameters. The server first downloads and executes the SQL file, then downloads the ZIP file and extracts it directly into the web root directory. This process does not validate a CSRF token. Therefore, an attacker only needs to trick an authenticated administrator into visiting a malicious link to achieve arbitrary SQL execution and arbitrary file write. This issue has been patched in version 2.6.8.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Emlog | Emlog | < 2.6.8 |
Related Weaknesses (CWE)
References
- https://github.com/emlog/emlog/commit/4c3b8f3486e2c9caafee38a5eedb3cd16f8c8d6fPatch
- https://github.com/emlog/emlog/security/advisories/GHSA-2rcc-jg83-34vpExploitVendor Advisory
FAQ
What is CVE-2026-34228?
CVE-2026-34228 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Emlog is an open source website building system. Prior to version 2.6.8, the backend upgrade interface accepts remote SQL and ZIP URLs via GET parameters. The server first downloads and executes the S...
How severe is CVE-2026-34228?
CVE-2026-34228 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-34228?
Check the references section above for vendor advisories and patch information. Affected products include: Emlog Emlog.