CVE-2026-31954
Published: 11 March 2026
Summary
CVE-2026-31954 is a uncategorised-severity CSRF (CWE-352) vulnerability in Emlog Emlog. Its CVSS base score is 0.0.
Operationally, exploitation aligns with the MITRE ATT&CK technique Data Destruction (T1485); ranked at the 6.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-23 (Session Authenticity).
Deeper analysis
CVE-2026-31954 affects Emlog, an open source website building system, in versions 2.6.6 and earlier. The vulnerability resides in the delete_async action, which implements asynchronous deletion but omits a call to LoginAuth::checkToken(), thereby enabling cross-site request forgery (CSRF) attacks as classified under CWE-352. Published on 2026-03-11, it carries a CVSS v3.1 base score of 0.0 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:N), indicating no direct impact on confidentiality, integrity, or availability.
An attacker can exploit this CSRF vulnerability by tricking an authenticated user with low privileges (PR:L) into visiting a malicious webpage that submits a forged request to the delete_async endpoint over the network (AV:N) with low attack complexity (AC:L) and no required user interaction beyond the initial visit (UI:N). Successful exploitation allows the attacker to perform unauthorized asynchronous deletions on behalf of the victim within the same scope (S:U), potentially removing blog posts, files, or other content managed by the Emlog instance.
The GitHub security advisory at https://github.com/emlog/emlog/security/advisories/GHSA-xc26-93qj-rcrw provides details on mitigation, including recommended patches or upgrades for affected Emlog installations.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-11319
Vulnerability details
Emlog is an open source website building system. In 2.6.6 and earlier, the delete_async action (asynchronous delete) lacks a call to LoginAuth::checkToken(), enabling CSRF attacks.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF in delete_async enables unauthorized deletion of blog posts/files/content by an attacker abusing an authenticated session, directly facilitating data destruction (T1485).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires the system to enforce access-control policy on the delete_async action, which the missing LoginAuth::checkToken() call fails to do, allowing forged CSRF requests.
Requires protection of session authenticity so that cross-site requests cannot be accepted as valid authenticated actions against delete_async.
Requires validation of all inputs to ensure they originate from legitimate, same-origin authenticated sessions rather than attacker-supplied CSRF forms.