Platform
php
Component
emlog
Fixed in
2.6.3
CVE-2026-34607 represents a Remote Code Execution (RCE) vulnerability affecting Emlog CMS versions from 1.0.0 up to and including 2.6.2. This flaw stems from insufficient sanitization of ZIP archive entries during file extraction, allowing attackers to write arbitrary files to the server's filesystem. Successful exploitation can lead to complete system compromise, and a patch is available in version 2.6.3.
The primary impact of CVE-2026-34607 is the potential for Remote Code Execution. An authenticated administrator can leverage this vulnerability to upload a specially crafted ZIP archive containing entries with path traversal sequences (e.g., ../). This allows them to bypass intended file restrictions and write arbitrary files, including PHP webshells, to any location accessible by the webserver. A successful webshell provides the attacker with persistent remote access and control over the compromised server, enabling them to steal sensitive data, modify website content, or launch further attacks against other systems on the network. The blast radius extends to any data stored on the server and potentially to other systems accessible from it.
As of the publication date (2026-04-03), this vulnerability is not listed on the CISA KEV catalog. There are currently no publicly available proof-of-concept exploits, but the vulnerability's nature (path traversal leading to RCE) makes it a likely target for exploitation. The absence of a patch prior to public disclosure increases the risk of exploitation. The vulnerability shares similarities with other path traversal vulnerabilities that have been actively exploited in the past.
Exploit Status
EPSS
0.37% (59% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-34607 is to immediately upgrade Emlog CMS to version 2.6.3 or later, which contains the fix for this vulnerability. If upgrading is not immediately feasible, consider implementing temporary workarounds. Restrict file uploads to trusted sources and implement strict file type validation to prevent the upload of ZIP archives. Configure a Web Application Firewall (WAF) to block requests containing suspicious path traversal patterns in file upload parameters. Monitor web server logs for unusual file creation or modification activity, particularly in sensitive directories. After upgrading, confirm the fix by attempting to upload a test ZIP archive containing a path traversal entry and verifying that the upload fails with an appropriate error message.
Actualice Emlog a la versión 2.6.3 o posterior para mitigar la vulnerabilidad de recorrido de ruta. Esta actualización corrige la falta de sanitización de los nombres de las entradas ZIP, evitando la escritura de archivos arbitrarios en el sistema de archivos del servidor.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34607 is a Remote Code Execution vulnerability in Emlog CMS versions 1.0.0 through 2.6.2. It allows an authenticated admin to upload crafted ZIP files to execute arbitrary code on the server.
You are affected if you are running Emlog CMS versions 1.0.0 to 2.6.2. Upgrade to version 2.6.3 or later to mitigate the risk.
The recommended fix is to upgrade Emlog CMS to version 2.6.3 or later. If immediate upgrade is not possible, implement temporary workarounds like restricting file uploads and configuring a WAF.
While no public exploits are currently available, the vulnerability's nature makes it a likely target for exploitation. Monitor your systems closely.
Refer to the official Emlog security advisory for details and updates: [https://www.emlog.org/security/](https://www.emlog.org/security/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.