Emlog — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/emlog/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioFri, 03 Apr 2026 23:17:04 +0000Emlog Path Traversal Vulnerability Leads to Remote Code Executionhttps://feed.craftedsignal.io/briefs/2024-01-emlog-rce/Fri, 03 Apr 2026 23:17:04 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-emlog-rce/Emlog versions 2.6.2 and prior are vulnerable to path traversal via crafted ZIP uploads, allowing authenticated admins to write arbitrary files and achieve remote code execution.Emlog, an open-source website building system, is vulnerable to a critical path traversal vulnerability (CVE-2026-34607) affecting versions 2.6.2 and earlier. This flaw resides within the emUnZip() function located in include/lib/common.php:793. The vulnerability stems from the function’s failure to sanitize ZIP entry names during extraction of ZIP archives, such as those used for plugin/template uploads or backup imports. An authenticated administrator can exploit this by uploading a specially crafted ZIP file containing entries with “../” sequences. This allows the attacker to write arbitrary files to the server’s file system, potentially including PHP webshells, ultimately leading to Remote Code Execution (RCE). At the time of this writing, there are no publicly available patches to address this vulnerability.

Attack Chain

  1. The attacker authenticates as an administrator in the Emlog application.
  2. The attacker crafts a malicious ZIP archive containing a file with a path traversal sequence (e.g., ../../../../shell.php).
  3. The attacker uploads the crafted ZIP archive via a plugin/template upload or backup import feature.
  4. The emUnZip() function is invoked, which extracts the contents of the ZIP archive.
  5. Due to the lack of sanitization, the extractTo() function writes the malicious file to an arbitrary location on the server’s filesystem, as dictated by the path traversal sequence.
  6. The attacker uploads a PHP webshell to a publicly accessible directory.
  7. The attacker accesses the uploaded PHP webshell through a web browser (e.g., http://example.com/shell.php).
  8. The attacker executes arbitrary commands on the server via the webshell, achieving Remote Code Execution (RCE).

Impact

Successful exploitation of this vulnerability allows an attacker to gain complete control over the affected Emlog server. This can lead to data breaches, website defacement, malware distribution, or further attacks against other systems on the network. Given that Emlog is used by numerous websites, the potential impact could be widespread, affecting potentially hundreds or thousands of websites.

Recommendation

  • Apply any available patches or updates for Emlog as soon as they are released to address CVE-2026-34607.
  • Implement input validation and sanitization measures within the emUnZip() function to prevent path traversal attacks. Specifically, sanitize ZIP entry names before passing them to the extractTo() function.
  • Monitor web server logs for suspicious requests to PHP files in unusual directories (e.g., outside the webroot) after ZIP archive uploads, using the provided Sigma rule for webserver logs.
  • Implement the provided Sigma rule to detect process creation from web server processes to identify potential webshell execution.
]]>criticaladvisorypath-traversalremote-code-executionemlogweb-application