CVE 9.3 CRITICAL

emlog Arbitrary File Upload Vulnerability_CVE-2026-22799

January 12, 2026 invoker category_cve
9.3 / 10
CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

Emlog is an open source website building system. emlog v2.6.1 and earlier exposes a REST API endpoint (/index.php?rest-api=upload) for media file uploads. The endpoint fails to implement proper validation of file types, extensions, and content, allowing authenticated attackers (with a valid API key or admin session cookie) to upload arbitrary files (including malicious PHP scripts) to the server. An attacker can obtain the API key either by gaining administrator access to enable the REST API setting, or via information disclosure vulnerabilities in the application. Once uploaded, the malicious PHP file can be executed to gain remote code execution (RCE) on the target server, leading to full server compromise.

AI Analysis

Arbitrary file upload vulnerability in emlog v2.6.1 and earlier, allowing authenticated attackers to upload malicious PHP scripts and gain remote code execution (RCE) on the target server.

Basic Information

ID CVE-2026-22799
Source GitHub_M
Published Jan 12, 2026 at 22:05

Affected Product

Vendor emlog
Product emlog
Version <= 2.6.1
Affected Versions emlog emlog <= 2.6.1

CWE Classification

CWE-434

AI Assessment

AI Score 9.3 / 10
AI Severity Critical
Vendor emlog
Product emlog
Version 2.6.1 and earlier

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.