{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34228", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-26T16:22:29.033Z", "datePublished": "2026-04-03T22:28:45.911Z", "dateUpdated": "2026-04-06T13:18:48.484Z"}, "containers": {"cna": {"title": "Emlog: CSRF in Backend Upgrade Interface Leading to Arbitrary Remote SQL Execution and Arbitrary File Write", "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "lang": "en", "description": "CWE-352: Cross-Site Request Forgery (CSRF)", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/emlog/emlog/security/advisories/GHSA-2rcc-jg83-34vp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/emlog/emlog/security/advisories/GHSA-2rcc-jg83-34vp"}, {"name": "https://github.com/emlog/emlog/commit/4c3b8f3486e2c9caafee38a5eedb3cd16f8c8d6f", "tags": ["x_refsource_MISC"], "url": "https://github.com/emlog/emlog/commit/4c3b8f3486e2c9caafee38a5eedb3cd16f8c8d6f"}], "affected": [{"vendor": "emlog", "product": "emlog", "versions": [{"version": "< 2.6.8", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-03T22:28:45.911Z"}, "descriptions": [{"lang": "en", "value": "Emlog is an open source website building system. Prior to version 2.6.8, the backend upgrade interface accepts remote SQL and ZIP URLs via GET parameters. The server first downloads and executes the SQL file, then downloads the ZIP file and extracts it directly into the web root directory. This process does not validate a CSRF token. Therefore, an attacker only needs to trick an authenticated administrator into visiting a malicious link to achieve arbitrary SQL execution and arbitrary file write. This issue has been patched in version 2.6.8."}], "source": {"advisory": "GHSA-2rcc-jg83-34vp", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-06T13:18:25.291201Z", "id": "CVE-2026-34228", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T13:18:48.484Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34228", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-06T13:18:25.291201Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T13:18:39.408Z"}}], "cna": {"title": "Emlog: CSRF in Backend Upgrade Interface Leading to Arbitrary Remote SQL Execution and Arbitrary File Write", "source": {"advisory": "GHSA-2rcc-jg83-34vp", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "emlog", "product": "emlog", "versions": [{"status": "affected", "version": "< 2.6.8"}]}], "references": [{"url": "https://github.com/emlog/emlog/security/advisories/GHSA-2rcc-jg83-34vp", "name": "https://github.com/emlog/emlog/security/advisories/GHSA-2rcc-jg83-34vp", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/emlog/emlog/commit/4c3b8f3486e2c9caafee38a5eedb3cd16f8c8d6f", "name": "https://github.com/emlog/emlog/commit/4c3b8f3486e2c9caafee38a5eedb3cd16f8c8d6f", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Emlog is an open source website building system. Prior to version 2.6.8, the backend upgrade interface accepts remote SQL and ZIP URLs via GET parameters. The server first downloads and executes the SQL file, then downloads the ZIP file and extracts it directly into the web root directory. This process does not validate a CSRF token. Therefore, an attacker only needs to trick an authenticated administrator into visiting a malicious link to achieve arbitrary SQL execution and arbitrary file write. This issue has been patched in version 2.6.8."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352: Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-03T22:28:45.911Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34228", "state": "PUBLISHED", "dateUpdated": "2026-04-06T13:18:48.484Z", "dateReserved": "2026-03-26T16:22:29.033Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-03T22:28:45.911Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Emlog is an open source website building system. Prior to version 2.6.8, the backend upgrade interface accepts remote SQL and ZIP URLs via GET parameters. The server first downloads and executes the SQL file, then downloads the ZIP file and extracts it directly into the web root directory. This process does not validate a CSRF token. Therefore, an attacker only needs to trick an authenticated administrator into visiting a malicious link to achieve arbitrary SQL execution and arbitrary file write. This issue has been patched in version 2.6.8."}], "id": "CVE-2026-34228", "lastModified": "2026-04-07T13:20:55.200", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-03T23:17:04.100", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/emlog/emlog/commit/4c3b8f3486e2c9caafee38a5eedb3cd16f8c8d6f"}, {"source": "security-advisories@github.com", "url": "https://github.com/emlog/emlog/security/advisories/GHSA-2rcc-jg83-34vp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.6.8)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "emlog", "source": "cna", "vendor": "emlog"}, "product": "emlog", "vendor": "emlog"}], "analysis": {"en": {"generated_at": "2026-04-04T01:24:00.363168+00:00", "value": {"mitigation_remediation": ["Apply the official patch that releases emlog 2.6.8 or later."], "summary": {"action": "Patch Now", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The issue affects installations of the open\u2011source website system emlog, specifically any instance using a version earlier than 2.6.8. Users running those versions should verify the current build and the presence of the tokens used to protect upgrade requests.", "description_and_impact": "The flaw lies in the backend upgrade interface, which accepts remote SQL and ZIP URLs via GET parameters without validating a CSRF token. When a request reaches the server, it downloads and executes the supplied SQL file, then fetches the ZIP file and extracts its contents directly into the web root. This sequence allows an attacker to inject arbitrary SQL commands and to write files to the site\u2019s document root, potentially leading to data modification, disclosure, or execution of malicious scripts. The weakness involved is a cross\u2011site request forgery (CWE\u2011352).", "risk_and_exploitability": "The vulnerability scores 8.7 on the CVSS scale, indicating high severity, and is not listed in the Certified Exploited Vulnerabilities catalog. While the EPSS score is not available, the lack of a CSRF check suggests a straightforward exploitation path: an authenticated administrator is tricked into visiting a crafted link that carries malicious GET parameters. The attacker then benefits from the server\u2019s unauthenticated processing of the SQL and ZIP payloads, allowing database tampering and arbitrary file placement without needing any privileged user actions beyond normal admin authentication."}}}}, "created": "2026-04-06T21:22:10.090126+00:00", "updated": "2026-04-06T22:21:47.607315+00:00", "vendors": ["emlog", "emlog$PRODUCT$emlog"]}