CVE-2026-34607
Published: 03 April 2026
Summary
CVE-2026-34607 is a high-severity Path Traversal (CWE-22) vulnerability in Emlog Emlog. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 36.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 requires validation of ZIP archive entry names to block path traversal sequences like ../ during extraction, directly preventing arbitrary file writes.
SI-2 mandates identification, reporting, and correction of the path traversal flaw in emUnZip(), eliminating the vulnerability at its source.
SI-7 monitors filesystem integrity to detect unauthorized file modifications resulting from exploited ZIP extractions leading to webshell deployment.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing web app (Emlog) allows crafted ZIP upload to write PHP webshell for RCE.
NVD Description
Emlog is an open source website building system. In versions 2.6.2 and prior, a path traversal vulnerability exists in the emUnZip() function (include/lib/common.php:793). When extracting ZIP archives (plugin/template uploads, backup imports), the function calls $zip->extractTo($path) without sanitizing ZIP entry names.…
more
An authenticated admin can upload a crafted ZIP containing entries with ../ sequences to write arbitrary files to the server filesystem, including PHP webshells, achieving Remote Code Execution (RCE). At time of publication, there are no publicly available patches.
Deeper analysisAI
CVE-2026-34607 is a path traversal vulnerability in Emlog, an open source website building system, affecting versions 2.6.2 and prior. The flaw exists in the emUnZip() function at include/lib/common.php:793, which extracts ZIP archives during plugin/template uploads and backup imports by calling $zip->extractTo($path) without sanitizing ZIP entry names.
An authenticated administrator can exploit the vulnerability by uploading a crafted ZIP archive containing entries with ../ sequences. This enables writing arbitrary files to the server filesystem, including PHP webshells, ultimately achieving remote code execution (RCE).
The GitHub security advisory (GHSA-2jg8-rmhm-xv9m) indicates that no publicly available patches exist at the time of publication on 2026-04-03.
Details
- CWE(s)