CVE-2026-22799
Arbitrary File Upload in Emlog REST API Enables RCE
Publication date: 2026-01-12
Last updated on: 2026-01-12
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| emlog | emlog | to 2.6.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can lead to remote code execution on the affected server, allowing attackers to execute arbitrary PHP code. This can result in full server compromise, including unauthorized access to sensitive data such as database credentials, user information, and blog content. Attackers may also install malware, create backdoors, or use the compromised server for malicious activities like participating in botnets. [2]
Can you explain this vulnerability to me?
CVE-2026-22799 is a critical vulnerability in emlog version 2.6.1 where the REST API upload endpoint (/index.php?rest-api=upload) does not properly validate uploaded files. Authenticated attackers with a valid API key or admin session cookie can upload arbitrary files, including malicious PHP scripts, because the system fails to check file types, extensions, and content. Once uploaded, these malicious files can be executed on the server, allowing attackers to gain remote code execution and fully compromise the server. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can be performed by monitoring HTTP POST requests to the vulnerable REST API endpoint `/index.php?rest-api=upload` for suspicious file uploads, especially PHP files. For example, using network monitoring tools or web server logs, you can search for POST requests containing `.php` files or unusual filenames. A sample command to check web server access logs for such uploads could be: `grep 'POST /index.php?rest-api=upload' /var/log/apache2/access.log | grep '.php'`. Additionally, scanning the upload directories for recently added PHP files can help detect exploitation attempts. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the REST API upload endpoint to only trusted administrators, disabling the REST API upload feature if not needed, and monitoring for suspicious uploads. Since no patches were available at the time of reporting, you should implement additional validation or filtering on uploaded files at the web server or application firewall level to block PHP or other executable files. Also, rotate API keys and review admin session security to prevent unauthorized access. Applying the fix from the commit that adds proper file validation (as in Resource 1) once available is recommended. [1, 2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows attackers to gain remote code execution and full server compromise, potentially leading to data breaches including sensitive information such as database credentials, user information, and blog content. Such data breaches can result in non-compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data. Therefore, exploitation of this vulnerability could lead to violations of these regulations due to unauthorized access and exposure of protected data. [2]