CVE-2026-22799
Published: 12 January 2026
Summary
CVE-2026-22799 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Emlog Emlog. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 33.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces comprehensive validation of information inputs, including file types, extensions, and content in the REST API upload endpoint, directly preventing unrestricted arbitrary file uploads.
Requires timely flaw remediation through patching the specific unrestricted upload vulnerability in Emlog v2.6.1 and earlier.
Limits system functionality by disabling unused REST API upload endpoints, eliminating exposure to the vulnerable media upload feature.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unrestricted file upload in public-facing web application (Emlog REST API) enables exploitation of public-facing application (T1190) and deployment of web shells via malicious PHP scripts for RCE (T1505.003).
NVD Description
Emlog is an open source website building system. emlog v2.6.1 and earlier exposes a REST API endpoint (/index.php?rest-api=upload) for media file uploads. The endpoint fails to implement proper validation of file types, extensions, and content, allowing authenticated attackers (with a…
more
valid API key or admin session cookie) to upload arbitrary files (including malicious PHP scripts) to the server. An attacker can obtain the API key either by gaining administrator access to enable the REST API setting, or via information disclosure vulnerabilities in the application. Once uploaded, the malicious PHP file can be executed to gain remote code execution (RCE) on the target server, leading to full server compromise.
Deeper analysisAI
CVE-2026-22799 is an unrestricted upload vulnerability in Emlog, an open source website building system, affecting versions 2.6.1 and earlier. The issue stems from the exposed REST API endpoint at /index.php?rest-api=upload, which handles media file uploads without proper validation of file types, extensions, or content. This flaw, mapped to CWE-434 (Unrestricted Upload of File with Dangerous Type), carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-01-12.
Authenticated attackers with a valid API key or admin session cookie can exploit the endpoint to upload arbitrary files, including malicious PHP scripts, to the server. The API key may be obtained by gaining administrator access to enable the REST API setting or through separate information disclosure vulnerabilities in Emlog. Once uploaded, the PHP file can be executed to achieve remote code execution (RCE), resulting in full server compromise.
Mitigation details are provided in the GitHub security advisory at https://github.com/emlog/emlog/security/advisories/GHSA-p837-mrw9-5x5j and a patching commit at https://github.com/emlog/emlog/commit/429b02fda842254b9b9b39303e9161999c180560. Security practitioners should update to a patched version of Emlog, disable the REST API if unused, and audit for exposed API keys or admin credentials.
Details
- CWE(s)