CVE-2026-41517 PUBLISHED

Emlog: Remote Code Execution via Malicious Plugin Upload

Assigner: GitHub_M
Reserved: 20.04.2026 Published: 08.05.2026 Updated: 08.05.2026

Emlog is an open source website building system. Prior to version 2.6.11, insecure plugin upload functionality allows attackers to upload and execute arbitrary PHP code, leading to complete server compromise and persistent backdoor installation. This issue has been patched in version 2.6.11.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
CVSS Score: 0

Product Status

Vendor emlog
Product emlog
Versions
  • Version < 2.6.11 is affected

References

Problem Types

  • CWE-434: Unrestricted Upload of File with Dangerous Type CWE