{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/emlog/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-34607"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["path-traversal","remote-code-execution","emlog","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eEmlog, an open-source website building system, is vulnerable to a critical path traversal vulnerability (CVE-2026-34607) affecting versions 2.6.2 and earlier. This flaw resides within the \u003ccode\u003eemUnZip()\u003c/code\u003e function located in \u003ccode\u003einclude/lib/common.php:793\u003c/code\u003e. The vulnerability stems from the function\u0026rsquo;s failure to sanitize ZIP entry names during extraction of ZIP archives, such as those used for plugin/template uploads or backup imports. An authenticated administrator can exploit this by uploading a specially crafted ZIP file containing entries with \u0026ldquo;../\u0026rdquo; sequences. This allows the attacker to write arbitrary files to the server\u0026rsquo;s file system, potentially including PHP webshells, ultimately leading to Remote Code Execution (RCE). At the time of this writing, there are no publicly available patches to address this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker authenticates as an administrator in the Emlog application.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious ZIP archive containing a file with a path traversal sequence (e.g., \u003ccode\u003e../../../../shell.php\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the crafted ZIP archive via a plugin/template upload or backup import feature.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eemUnZip()\u003c/code\u003e function is invoked, which extracts the contents of the ZIP archive.\u003c/li\u003e\n\u003cli\u003eDue to the lack of sanitization, the \u003ccode\u003eextractTo()\u003c/code\u003e function writes the malicious file to an arbitrary location on the server\u0026rsquo;s filesystem, as dictated by the path traversal sequence.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads a PHP webshell to a publicly accessible directory.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the uploaded PHP webshell through a web browser (e.g., \u003ccode\u003ehttp://example.com/shell.php\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary commands on the server via the webshell, achieving Remote Code Execution (RCE).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to gain complete control over the affected Emlog server. This can lead to data breaches, website defacement, malware distribution, or further attacks against other systems on the network. Given that Emlog is used by numerous websites, the potential impact could be widespread, affecting potentially hundreds or thousands of websites.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply any available patches or updates for Emlog as soon as they are released to address CVE-2026-34607.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization measures within the \u003ccode\u003eemUnZip()\u003c/code\u003e function to prevent path traversal attacks. Specifically, sanitize ZIP entry names before passing them to the \u003ccode\u003eextractTo()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests to PHP files in unusual directories (e.g., outside the webroot) after ZIP archive uploads, using the provided Sigma rule for webserver logs.\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule to detect process creation from web server processes to identify potential webshell execution.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-03T23:17:04Z","date_published":"2026-04-03T23:17:04Z","id":"/briefs/2024-01-emlog-rce/","summary":"Emlog versions 2.6.2 and prior are vulnerable to path traversal via crafted ZIP uploads, allowing authenticated admins to write arbitrary files and achieve remote code execution.","title":"Emlog Path Traversal Vulnerability Leads to Remote Code Execution","url":"https://feed.craftedsignal.io/briefs/2024-01-emlog-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Emlog","version":"https://jsonfeed.org/version/1.1"}