{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34787", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T19:54:55.556Z", "datePublished": "2026-04-03T22:36:36.418Z", "dateUpdated": "2026-04-06T13:17:52.939Z"}, "containers": {"cna": {"title": "Emlog: Local File Inclusion in plugin.php via unsanitized plugin parameter", "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "lang": "en", "description": "CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/emlog/emlog/security/advisories/GHSA-7mvq-qj5x-5phm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/emlog/emlog/security/advisories/GHSA-7mvq-qj5x-5phm"}], "affected": [{"vendor": "emlog", "product": "emlog", "versions": [{"version": "<= 2.6.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-03T22:36:36.418Z"}, "descriptions": [{"lang": "en", "value": "Emlog is an open source website building system. In versions 2.6.2 and prior, a Local File Inclusion (LFI) vulnerability exists in admin/plugin.php at line 80. The $plugin parameter from the GET request is directly used in a require_once path without proper sanitization. If the CSRF token check can be bypassed (see potential bypass conditions), an attacker can include arbitrary PHP files from the server filesystem, leading to code execution. At time of publication, there are no publicly available patches."}], "source": {"advisory": "GHSA-7mvq-qj5x-5phm", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-06T13:17:41.321219Z", "id": "CVE-2026-34787", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T13:17:52.939Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34787", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-06T13:17:41.321219Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T13:17:48.213Z"}}], "cna": {"title": "Emlog: Local File Inclusion in plugin.php via unsanitized plugin parameter", "source": {"advisory": "GHSA-7mvq-qj5x-5phm", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "emlog", "product": "emlog", "versions": [{"status": "affected", "version": "<= 2.6.2"}]}], "references": [{"url": "https://github.com/emlog/emlog/security/advisories/GHSA-7mvq-qj5x-5phm", "name": "https://github.com/emlog/emlog/security/advisories/GHSA-7mvq-qj5x-5phm", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Emlog is an open source website building system. In versions 2.6.2 and prior, a Local File Inclusion (LFI) vulnerability exists in admin/plugin.php at line 80. The $plugin parameter from the GET request is directly used in a require_once path without proper sanitization. If the CSRF token check can be bypassed (see potential bypass conditions), an attacker can include arbitrary PHP files from the server filesystem, leading to code execution. At time of publication, there are no publicly available patches."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-98", "description": "CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-03T22:36:36.418Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34787", "state": "PUBLISHED", "dateUpdated": "2026-04-06T13:17:52.939Z", "dateReserved": "2026-03-30T19:54:55.556Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-03T22:36:36.418Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Emlog is an open source website building system. In versions 2.6.2 and prior, a Local File Inclusion (LFI) vulnerability exists in admin/plugin.php at line 80. The $plugin parameter from the GET request is directly used in a require_once path without proper sanitization. If the CSRF token check can be bypassed (see potential bypass conditions), an attacker can include arbitrary PHP files from the server filesystem, leading to code execution. At time of publication, there are no publicly available patches."}], "id": "CVE-2026-34787", "lastModified": "2026-04-07T13:20:55.200", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-03T23:17:04.757", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/emlog/emlog/security/advisories/GHSA-7mvq-qj5x-5phm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.6.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "emlog", "source": "cna", "vendor": "emlog"}, "product": "emlog", "vendor": "emlog"}], "analysis": {"en": {"generated_at": "2026-04-04T01:51:18.505524+00:00", "value": {"mitigation_remediation": ["Check the Emlog project or GitHub repository for an official patch and upgrade to a fixed release as soon as it is available.", "Restrict access to admin/plugin.php so that it can only be called by authenticated users and enforce proper CSRF token validation.", "If an upgrade is not immediately possible, remove or adequately sanitize the $plugin parameter from the require_once call to prevent arbitrary file inclusion.", "Disable the plugin system entirely until a safe version is deployed.", "Monitor security advisories and the Emlog community for updates or work\u2011arounds to address this issue promptly."], "summary": {"action": "Apply Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Emlog version 2.6.2 and all earlier releases. No patch has been released at the time of publication, so older installations remain susceptible.", "description_and_impact": "A Local File Inclusion flaw in the admin/plugin.php file of Emlog \u2013 identified by CWE\u201198 \u2013 allows an attacker to inject the name of any PHP file on the server into a require_once call. When the CSRF check is bypassed, the attacker can force inclusion of a malicious script, yielding remote code execution and full compromise of the web application.", "risk_and_exploitability": "The CVSS base score of 6.5 indicates moderate severity. No EPSS score is available, and the flaw is not yet listed in CISA\u2019s KEV catalogue, suggesting limited public exploitation. The likely attack vector is via the web administrator interface, requiring successful CSRF bypass and a user with administrative privileges or the ability to craft a request to the vulnerable endpoint. Because code execution is possible, the risk to confidentiality, integrity, and availability is significant if an exploitable path is achieved."}}}}, "created": "2026-04-06T21:22:06.792528+00:00", "updated": "2026-04-06T22:21:44.661750+00:00", "vendors": ["emlog", "emlog$PRODUCT$emlog"]}