CVE-2026-42286
CSRF Vulnerability in Emlog Prior to 2.6.11
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| emlog | emlog | to 2.6.11 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Emlog, an open source website building system, in versions prior to 2.6.11. It is caused by missing CSRF (Cross-Site Request Forgery) protection in critical administrative functions. Because of this, attackers can trick authenticated administrators into performing unauthorized actions such as system registration, plugin management, and configuration changes without their consent.
How can this vulnerability impact me? :
The impact of this vulnerability is significant because it allows attackers to perform unauthorized administrative actions on your Emlog website if an administrator is tricked into executing malicious requests. This can lead to unauthorized system registration, changes to plugins, and configuration modifications, potentially compromising the integrity, availability, and security of your website.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade Emlog to version 2.6.11 or later, where the missing CSRF protection issue has been patched.
Until the upgrade is applied, restrict access to the admin functions to trusted users only and avoid performing administrative actions from untrusted networks or devices.