CVE-2026-34787 MEDIUM

CVE-2026-34787: Emlog: Local File Inclusion in plugin.php via unsanitized plugin parameter

Vendor Emlog

Product emlog

Weakness CWE-98 · PHP file inclusion

Published April 3, 2026

Last update April 6, 2026

View on NVD All CVEs

CVSS base score

6.5/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

Description

Emlog is an open source website building system. In versions 2.6.2 and prior, a Local File Inclusion (LFI) vulnerability exists in admin/plugin.php at line 80. The $plugin parameter from the GET request is directly used in a require_once path without proper sanitization. If the CSRF token check can be bypassed (see potential bypass conditions), an attacker can include arbitrary PHP files from the server filesystem, leading to code execution. At time of publication, there are no publicly available patches.

Key dates

Disclosure timeline

April 3, 2026 CVE published

April 6, 2026 Record updated