CVE-2026-34787
Received Received - Intake
Local File Inclusion in Emlog admin/plugin.php Enables Code Execution

Publication date: 2026-04-03

Last updated on: 2026-04-13

Assigner: GitHub, Inc.

Description
Emlog is an open source website building system. In versions 2.6.2 and prior, a Local File Inclusion (LFI) vulnerability exists in admin/plugin.php at line 80. The $plugin parameter from the GET request is directly used in a require_once path without proper sanitization. If the CSRF token check can be bypassed (see potential bypass conditions), an attacker can include arbitrary PHP files from the server filesystem, leading to code execution. At time of publication, there are no publicly available patches.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-03
Last Modified
2026-04-13
Generated
2026-06-16
AI Q&A
2026-04-04
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34787
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
emlog emlog to 2.6.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-98 The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

If exploited, this vulnerability allows an attacker to execute arbitrary PHP code on the affected server by including files from the server's filesystem. This can lead to unauthorized control over the website or server, potentially compromising sensitive data, defacing the website, or using the server as a launch point for further attacks.

Executive Summary

This vulnerability exists in Emlog, an open source website building system, specifically in versions 2.6.2 and earlier. It is a Local File Inclusion (LFI) vulnerability found in the admin/plugin.php file at line 80. The issue arises because the $plugin parameter from a GET request is used directly in a require_once statement without proper sanitization. If an attacker can bypass the CSRF token check, they can include arbitrary PHP files from the server's filesystem, which can lead to remote code execution.

Mitigation Strategies

Since there are no publicly available patches at the time of publication, immediate mitigation steps include restricting access to the vulnerable admin/plugin.php page, especially limiting access to trusted administrators only.

Additionally, monitor and block suspicious GET requests that include the $plugin parameter to prevent exploitation attempts.

Implement additional security controls such as Web Application Firewalls (WAF) to detect and block attempts to exploit Local File Inclusion vulnerabilities.

Finally, keep an eye on official sources for any future patches or updates addressing this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34787. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart