CVE-2026-34607 HIGH

CVE-2026-34607: Emlog: Path Traversal in emUnZip() allows arbitrary file write leading to RCE

Vendor Emlog
Product emlog
Weakness CWE-22 · Path traversal
Published April 3, 2026
Last update April 6, 2026

CVSS base score

7.2/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Emlog is an open source website building system. In versions 2.6.2 and prior, a path traversal vulnerability exists in the emUnZip() function (include/lib/common.php:793). When extracting ZIP archives (plugin/template uploads, backup imports), the function calls $zip->extractTo($path) without sanitizing ZIP entry names. An authenticated admin can upload a crafted ZIP containing entries with ../ sequences to write arbitrary files to the server filesystem, including PHP webshells, achieving Remote Code Execution (RCE). At time of publication, there are no publicly available patches.

Key dates

02Disclosure timeline

April 3, 2026 CVE published
April 6, 2026 Record updated