CVE-2026-42286

HIGH

Emlog: Cross-Site Request Forgery in Admin Functions

Title source: cna
STIX 2.1

Description

Emlog is an open source website building system. Prior to version 2.6.11, missing CSRF protection in critical admin functions allows attackers to trick authenticated administrators into performing unauthorized actions like system registration, plugin management, and configuration changes. This issue has been patched in version 2.6.11.

References (1)

Core 1
Core References

Scores

CVSS v4 8.4
EPSS 0.0016
EPSS Percentile 6.0%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:H/VA:L/SC:H/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-352
Status published
Products (1)
emlog/emlog < 2.6.11
Published May 08, 2026
Tracked Since May 09, 2026