CSRF in Emlog

CVE-2026-31954

Emlog is an open source website building system. In 2.6.6 and earlier, the delete_async action (asynchronous delete) lacks a call to LoginAuth::checkToken(), enabling CSRF attacks.

Vulnerability class: CSRF (Cross-Site Request Forgery)

EPSS: 0.000 (6.1th percentile) — read the EPSS interpretation.

Affected products

Emlog — versions <= 2.6.6

Weakness classification (CWE)

CWE-352 — Cross-Site Request Forgery (CSRF)

References

https://github.com/emlog/emlog/security/advisories/GHSA-xc26-93qj-rcrw (x_refsource_CONFIRM)