CVE-2026-41517
NONEEmlog: Remote Code Execution via Malicious Plugin Upload
Title source: cnaDescription
Emlog is an open source website building system. Prior to version 2.6.11, insecure plugin upload functionality allows attackers to upload and execute arbitrary PHP code, leading to complete server compromise and persistent backdoor installation. This issue has been patched in version 2.6.11.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/emlog/emlog/security/advisories/GHSA-8qwx-6jx6-94x4
Scores
CVSS v4
0.0
EPSS
0.0028
EPSS Percentile
19.1%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-434
Status
published
Products (1)
emlog/emlog
< 2.6.11
Published
May 08, 2026
Tracked Since
May 09, 2026