CVE-2026-34607
Path Traversal in Emlog emUnZip() Enables Remote Code Execution
Publication date: 2026-04-03
Last updated on: 2026-04-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| emlog | emlog | to 2.6.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Emlog, an open source website building system, specifically in versions 2.6.2 and earlier. It is a path traversal vulnerability found in the emUnZip() function. When extracting ZIP archives such as plugin or template uploads and backup imports, the function extracts files without properly sanitizing the ZIP entry names. An authenticated admin can upload a specially crafted ZIP file containing entries with '../' sequences, which allows writing arbitrary files to the server's filesystem.
This can lead to the attacker placing malicious files, including PHP webshells, on the server, which can then be used to execute arbitrary code remotely, resulting in Remote Code Execution (RCE).
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized remote code execution on your server. An attacker with authenticated admin access can upload crafted ZIP files to write arbitrary files anywhere on the server filesystem.
- Execution of malicious PHP webshells allowing full control over the server.
- Potential data theft, data modification, or destruction.
- Compromise of the entire web application and possibly other connected systems.
- Service disruption or defacement of the website.
What immediate steps should I take to mitigate this vulnerability?
Since there are no publicly available patches at the time of publication, immediate mitigation steps include restricting or disabling the ability for authenticated admins to upload ZIP archives until a fix is available.
Additionally, closely monitor and audit any ZIP archive uploads for suspicious entries containing path traversal sequences such as '../'.
Limiting admin access and ensuring the server filesystem permissions prevent unauthorized file writes can also reduce risk.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an authenticated admin to upload crafted ZIP files that can lead to arbitrary file writes and remote code execution on the server. Such unauthorized access and control over the server can result in data breaches or unauthorized disclosure of sensitive information.
Consequently, this could impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and ensure system integrity.
However, the provided information does not explicitly detail the compliance implications or specific regulatory impacts.