CVE-2026-31954
Published: 11 March 2026
Summary
CVE-2026-31954 is a uncategorised-severity CSRF (CWE-352) vulnerability in Emlog Emlog. Its CVSS base score is 0.0.
Operationally, exploitation aligns with the MITRE ATT&CK technique Data Destruction (T1485); ranked at the 5.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Awareness training educates users on avoiding untrusted links and actions that can be exploited via CSRF.
Requiring user re-entry of credentials for sensitive actions prevents automated forgery of requests without active user participation.
Security testing regimens explicitly include checks for missing or ineffective anti-CSRF protections in web applications.
Detects anomalous request patterns consistent with cross-site request forgery.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF in delete_async enables unauthorized deletion of blog posts/files/content by an attacker abusing an authenticated session, directly facilitating data destruction (T1485).
NVD Description
Emlog is an open source website building system. In 2.6.6 and earlier, the delete_async action (asynchronous delete) lacks a call to LoginAuth::checkToken(), enabling CSRF attacks.
Deeper analysisAI
CVE-2026-31954 affects Emlog, an open source website building system, in versions 2.6.6 and earlier. The vulnerability resides in the delete_async action, which implements asynchronous deletion but omits a call to LoginAuth::checkToken(), thereby enabling cross-site request forgery (CSRF) attacks as classified under CWE-352. Published on 2026-03-11, it carries a CVSS v3.1 base score of 0.0 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:N), indicating no direct impact on confidentiality, integrity, or availability.
An attacker can exploit this CSRF vulnerability by tricking an authenticated user with low privileges (PR:L) into visiting a malicious webpage that submits a forged request to the delete_async endpoint over the network (AV:N) with low attack complexity (AC:L) and no required user interaction beyond the initial visit (UI:N). Successful exploitation allows the attacker to perform unauthorized asynchronous deletions on behalf of the victim within the same scope (S:U), potentially removing blog posts, files, or other content managed by the Emlog instance.
The GitHub security advisory at https://github.com/emlog/emlog/security/advisories/GHSA-xc26-93qj-rcrw provides details on mitigation, including recommended patches or upgrades for affected Emlog installations.
Details
- CWE(s)