CVE-2026-46687 in emloginfo

Summary

by MITRE • 07/16/2026

Emlog is an open source website building system. In 2.6.13 and earlier, the article publishing interface stores a path-traversal template parameter from api_controller.php without validation, and log_controller.php later checks file_exists and calls include View::getView($template), allowing an authenticated author to include an arbitrary local .php file when an article is viewed. No fixed version is currently identified.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/16/2026

This vulnerability exists within the Emlog content management system where an authenticated attacker with author privileges can exploit a path traversal flaw in the article publishing interface. The vulnerability stems from insufficient input validation of the template parameter in api_controller.php which allows maliciously crafted paths to be stored and later executed during article rendering. When articles are viewed, the log_controller.php component processes these stored paths through file_exists checks before calling View::getView($template) which ultimately leads to arbitrary local file inclusion. This represents a classic path traversal vulnerability that can be exploited to include arbitrary PHP files from the server filesystem, potentially enabling remote code execution or data exfiltration. The flaw specifically affects versions 2.6.13 and earlier, with no official patch currently available, leaving installations vulnerable to exploitation.

The technical implementation of this vulnerability follows a multi-stage attack pattern that begins with an authenticated author submitting malicious template parameters through the publishing interface. The api_controller.php component fails to validate or sanitize the template parameter input, storing it directly without proper path validation or normalization. During subsequent article viewing operations, the log_controller.php component processes this stored parameter and performs file_exists checks before passing it to View::getView() method. This design flaw creates a direct path traversal condition where attacker-controlled input can manipulate the include statement to load arbitrary PHP files from the local filesystem. The vulnerability is further exacerbated by the fact that authentication is required, but once an author account is compromised or obtained, the attack can be executed with minimal additional privileges.

The operational impact of this vulnerability is severe for organizations using affected Emlog installations, as it allows authenticated attackers to execute arbitrary code on the web server hosting the CMS. This could result in complete system compromise, data breaches, or unauthorized access to sensitive information stored within the application environment. The vulnerability enables attackers to include and execute PHP files from locations such as configuration files, database credentials, or other sensitive server components that may be accessible through local file inclusion. Additionally, the attack requires no special privileges beyond an existing author account, making it particularly dangerous for organizations where multiple users have editing capabilities. The lack of a fixed version creates ongoing risk exposure for affected systems.

Organizations should immediately implement mitigations including restricting author account permissions to prevent unauthorized access, monitoring for unusual template parameter usage in the publishing interface, and applying network-level restrictions to limit access to vulnerable endpoints. Security controls should focus on input validation at multiple layers, with particular attention to validating all user-supplied parameters before they are processed or stored. The vulnerability aligns with CWE-22 Path Traversal and CWE-94 Code Injection categories, representing a critical security gap in the application's input handling and file inclusion mechanisms. Defense-in-depth strategies should include regular security assessments, code reviews focusing on file inclusion patterns, and implementing proper access controls to limit the scope of potential exploitation. Organizations should also consider implementing web application firewalls to detect and block suspicious parameter patterns that could indicate exploitation attempts.

This vulnerability demonstrates the importance of proper input validation and secure coding practices in content management systems, particularly when handling user-supplied data for file operations. The flaw represents a significant gap in the application's security architecture where user input directly influences system file operations without adequate sanitization or verification. From an ATT&CK perspective, this vulnerability maps to techniques involving code injection and privilege escalation through legitimate system tools. The absence of a patched version creates ongoing exposure risk that requires immediate organizational action to prevent potential exploitation by malicious actors who may be actively targeting vulnerable installations. Organizations should prioritize updating their security monitoring procedures to detect anomalous template parameter usage patterns and implement automated scanning for similar vulnerabilities in other applications within their infrastructure.

Responsible

GitHub M

Reservation

05/15/2026

Disclosure

07/16/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Do you need the next level of professionalism?

Upgrade your account now!