Platform
php
Component
emlog
Opgelost in
2.6.7
CVE-2026-31954 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting Emlog, an open-source website building system. This flaw allows an attacker to trigger asynchronous delete actions without proper authentication, potentially leading to unauthorized content deletion. The vulnerability impacts Emlog versions up to and including 2.6.6. A fix is available in a later version of Emlog.
The core of this vulnerability lies in the delete_async action within Emlog. Due to a missing check for authentication tokens (LoginAuth::checkToken()), an attacker can craft malicious requests that, when triggered by a user, will execute the delete action on their behalf. This could result in the deletion of critical website content, including posts, pages, or media files. The attacker doesn't need to know the user's credentials, only to trick them into visiting a crafted URL or interacting with a malicious element. The blast radius is limited to the scope of the user's permissions within Emlog; an administrator could cause significantly more damage than a standard user.
CVE-2026-31954 was publicly disclosed on 2026-03-11. No public proof-of-concept (PoC) code has been released at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. Given the nature of CSRF vulnerabilities, it is considered a relatively low-probability exploit, requiring user interaction to be successful.
Websites using Emlog version 2.6.6 or earlier are at risk. Shared hosting environments where multiple websites share the same Emlog installation are particularly vulnerable, as a compromise on one site could potentially impact others. Users who frequently share links or interact with external websites are also at higher risk of being tricked into triggering a malicious request.
• php / server:
grep -r 'delete_async' /var/www/emlog/• generic web:
curl -I https://your-emlog-site.com/ | grep -i 'delete_async'disclosure
Exploit Status
EPSS
0.02% (3% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2026-31954 is to upgrade Emlog to a version that includes the necessary authentication check. Until an upgrade is possible, consider implementing a Content Security Policy (CSP) to restrict the origins from which Emlog can load resources. This can help prevent the execution of malicious scripts. Additionally, carefully review any third-party plugins or extensions installed on your Emlog site, as they may introduce similar vulnerabilities. Regularly monitor your Emlog site for suspicious activity, such as unexpected content deletions.
Werk Emlog bij naar een versie later dan 2.6.6. Dit zal de CSRF-vulnerability in de asynchrone media bestandsverwijdering oplossen.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-31954 is a Cross-Site Request Forgery vulnerability in Emlog versions 2.6.6 and earlier, allowing attackers to delete content without authentication.
If you are using Emlog version 2.6.6 or earlier, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as possible.
The recommended fix is to upgrade Emlog to a version that includes the authentication check. Until then, consider implementing a Content Security Policy (CSP).
As of the last update, there are no confirmed reports of active exploitation of CVE-2026-31954, but it remains a potential risk.
Please refer to the official Emlog website or security advisories for the most up-to-date information regarding CVE-2026-31954.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.