Cyber Resilience

CVE-2026-31954

LowPublic PoC

Published: 11 March 2026

Published
11 March 2026
Modified
17 March 2026
KEV Added
Patch
CVSS Score v3.1 0.0 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:N
EPSS Score 0.0002 6.1th percentile
Risk Priority 0 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31954 is a uncategorised-severity CSRF (CWE-352) vulnerability in Emlog Emlog. Its CVSS base score is 0.0.

Operationally, exploitation aligns with the MITRE ATT&CK technique Data Destruction (T1485); ranked at the 6.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-23 (Session Authenticity).

Deeper analysis

CVE-2026-31954 affects Emlog, an open source website building system, in versions 2.6.6 and earlier. The vulnerability resides in the delete_async action, which implements asynchronous deletion but omits a call to LoginAuth::checkToken(), thereby enabling cross-site request forgery (CSRF) attacks as classified under CWE-352. Published on 2026-03-11, it carries a CVSS v3.1 base score of 0.0 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:N), indicating no direct impact on confidentiality, integrity, or availability.

An attacker can exploit this CSRF vulnerability by tricking an authenticated user with low privileges (PR:L) into visiting a malicious webpage that submits a forged request to the delete_async endpoint over the network (AV:N) with low attack complexity (AC:L) and no required user interaction beyond the initial visit (UI:N). Successful exploitation allows the attacker to perform unauthorized asynchronous deletions on behalf of the victim within the same scope (S:U), potentially removing blog posts, files, or other content managed by the Emlog instance.

The GitHub security advisory at https://github.com/emlog/emlog/security/advisories/GHSA-xc26-93qj-rcrw provides details on mitigation, including recommended patches or upgrades for affected Emlog installations.

EU & UK References

Vulnerability details

Emlog is an open source website building system. In 2.6.6 and earlier, the delete_async action (asynchronous delete) lacks a call to LoginAuth::checkToken(), enabling CSRF attacks.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
Why these techniques?

CSRF in delete_async enables unauthorized deletion of blog posts/files/content by an attacker abusing an authenticated session, directly facilitating data destruction (T1485).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-21430Same product: Emlog Emlog
CVE-2025-25783Same product: Emlog Emlog
CVE-2025-25825Same product: Emlog Emlog
CVE-2025-61318Same product: Emlog Emlog
CVE-2026-21433Same product: Emlog Emlog
CVE-2026-34607Same product: Emlog Emlog
CVE-2026-22799Same product: Emlog Emlog
CVE-2025-9296Same product: Emlog Emlog
CVE-2025-29401Same product: Emlog Emlog
CVE-2025-30372Same product: Emlog Emlog

Affected Assets

emlog
emlog
≤ 2.6.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires the system to enforce access-control policy on the delete_async action, which the missing LoginAuth::checkToken() call fails to do, allowing forged CSRF requests.

prevent

Requires protection of session authenticity so that cross-site requests cannot be accepted as valid authenticated actions against delete_async.

prevent

Requires validation of all inputs to ensure they originate from legitimate, same-origin authenticated sessions rather than attacker-supplied CSRF forms.

References