CVE-2026-34607
Received Received - Intake
Path Traversal in Emlog emUnZip() Enables Remote Code Execution

Publication date: 2026-04-03

Last updated on: 2026-04-13

Assigner: GitHub, Inc.

Description
Emlog is an open source website building system. In versions 2.6.2 and prior, a path traversal vulnerability exists in the emUnZip() function (include/lib/common.php:793). When extracting ZIP archives (plugin/template uploads, backup imports), the function calls $zip->extractTo($path) without sanitizing ZIP entry names. An authenticated admin can upload a crafted ZIP containing entries with ../ sequences to write arbitrary files to the server filesystem, including PHP webshells, achieving Remote Code Execution (RCE). At time of publication, there are no publicly available patches.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-03
Last Modified
2026-04-13
Generated
2026-06-16
AI Q&A
2026-04-04
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34607
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
emlog emlog to 2.6.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Emlog, an open source website building system, specifically in versions 2.6.2 and earlier. It is a path traversal vulnerability found in the emUnZip() function. When extracting ZIP archives such as plugin or template uploads and backup imports, the function extracts files without properly sanitizing the ZIP entry names. An authenticated admin can upload a specially crafted ZIP file containing entries with '../' sequences, which allows writing arbitrary files to the server's filesystem.

This can lead to the attacker placing malicious files, including PHP webshells, on the server, which can then be used to execute arbitrary code remotely, resulting in Remote Code Execution (RCE).

Impact Analysis

This vulnerability can have severe impacts including unauthorized remote code execution on your server. An attacker with authenticated admin access can upload crafted ZIP files to write arbitrary files anywhere on the server filesystem.

  • Execution of malicious PHP webshells allowing full control over the server.
  • Potential data theft, data modification, or destruction.
  • Compromise of the entire web application and possibly other connected systems.
  • Service disruption or defacement of the website.
Mitigation Strategies

Since there are no publicly available patches at the time of publication, immediate mitigation steps include restricting or disabling the ability for authenticated admins to upload ZIP archives until a fix is available.

Additionally, closely monitor and audit any ZIP archive uploads for suspicious entries containing path traversal sequences such as '../'.

Limiting admin access and ensuring the server filesystem permissions prevent unauthorized file writes can also reduce risk.

Compliance Impact

This vulnerability allows an authenticated admin to upload crafted ZIP files that can lead to arbitrary file writes and remote code execution on the server. Such unauthorized access and control over the server can result in data breaches or unauthorized disclosure of sensitive information.

Consequently, this could impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and ensure system integrity.

However, the provided information does not explicitly detail the compliance implications or specific regulatory impacts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34607. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart