Platform
php
Component
emlog
Fixed in
2.6.7
CVE-2026-31954 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting Emlog, an open-source website building system. This flaw allows an attacker to trigger asynchronous delete actions without proper authentication, potentially leading to unauthorized content deletion. The vulnerability impacts Emlog versions up to and including 2.6.6. A fix is available in a later version of Emlog.
The core of this vulnerability lies in the delete_async action within Emlog. Due to a missing check for authentication tokens (LoginAuth::checkToken()), an attacker can craft malicious requests that, when triggered by a user, will execute the delete action on their behalf. This could result in the deletion of critical website content, including posts, pages, or media files. The attacker doesn't need to know the user's credentials, only to trick them into visiting a crafted URL or interacting with a malicious element. The blast radius is limited to the scope of the user's permissions within Emlog; an administrator could cause significantly more damage than a standard user.
CVE-2026-31954 was publicly disclosed on 2026-03-11. No public proof-of-concept (PoC) code has been released at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. Given the nature of CSRF vulnerabilities, it is considered a relatively low-probability exploit, requiring user interaction to be successful.
Exploit Status
EPSS
0.02% (3% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-31954 is to upgrade Emlog to a version that includes the necessary authentication check. Until an upgrade is possible, consider implementing a Content Security Policy (CSP) to restrict the origins from which Emlog can load resources. This can help prevent the execution of malicious scripts. Additionally, carefully review any third-party plugins or extensions installed on your Emlog site, as they may introduce similar vulnerabilities. Regularly monitor your Emlog site for suspicious activity, such as unexpected content deletions.
Update Emlog to a version later than 2.6.6. This will fix the CSRF vulnerability in asynchronous media file deletion.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-31954 is a Cross-Site Request Forgery vulnerability in Emlog versions 2.6.6 and earlier, allowing attackers to delete content without authentication.
If you are using Emlog version 2.6.6 or earlier, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as possible.
The recommended fix is to upgrade Emlog to a version that includes the authentication check. Until then, consider implementing a Content Security Policy (CSP).
As of the last update, there are no confirmed reports of active exploitation of CVE-2026-31954, but it remains a potential risk.
Please refer to the official Emlog website or security advisories for the most up-to-date information regarding CVE-2026-31954.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.