CVE-2026-41517
Arbitrary PHP Code Execution in Emlog
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| emlog | emlog | to 2.6.11 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Emlog, an open source website building system, in versions prior to 2.6.11. It involves insecure plugin upload functionality that allows attackers to upload and execute arbitrary PHP code on the server.
By exploiting this flaw, attackers can gain complete control over the server and install persistent backdoors.
The issue has been fixed in version 2.6.11.
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to complete server compromise.
Attackers can execute arbitrary PHP code, which may allow them to control the website, access sensitive data, modify content, or use the server for malicious purposes.
Additionally, attackers can install persistent backdoors, maintaining long-term unauthorized access.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade Emlog to version 2.6.11 or later, where the insecure plugin upload functionality has been patched.