CVE-2026-34228
Received Received - Intake
CSRF Allows Arbitrary SQL Execution and File Write in Emlog

Publication date: 2026-04-03

Last updated on: 2026-04-13

Assigner: GitHub, Inc.

Description
Emlog is an open source website building system. Prior to version 2.6.8, the backend upgrade interface accepts remote SQL and ZIP URLs via GET parameters. The server first downloads and executes the SQL file, then downloads the ZIP file and extracts it directly into the web root directory. This process does not validate a CSRF token. Therefore, an attacker only needs to trick an authenticated administrator into visiting a malicious link to achieve arbitrary SQL execution and arbitrary file write. This issue has been patched in version 2.6.8.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-03
Last Modified
2026-04-13
Generated
2026-06-16
AI Q&A
2026-04-04
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34228
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
emlog emlog to 2.6.8 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Emlog, an open source website building system, prior to version 2.6.8. The backend upgrade interface accepts remote SQL and ZIP file URLs via GET parameters without validating a CSRF token. As a result, an attacker can trick an authenticated administrator into visiting a malicious link, which causes the server to download and execute an arbitrary SQL file and then download and extract a ZIP file directly into the web root directory. This leads to arbitrary SQL execution and arbitrary file write on the server.

Impact Analysis

The vulnerability allows an attacker to execute arbitrary SQL commands and write arbitrary files on the server by tricking an authenticated administrator into visiting a malicious link. This can lead to unauthorized data manipulation, data loss, or corruption, as well as the potential for remote code execution or website defacement by placing malicious files in the web root directory.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Emlog to version 2.6.8 or later, where the issue has been patched.

Additionally, avoid allowing authenticated administrators to visit untrusted or suspicious links that could exploit the lack of CSRF token validation in the backend upgrade interface.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34228. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart