Arbitrary file upload in Emlog

CVE-2026-41517

Emlog is an open source website building system. Prior to version 2.6.11, insecure plugin upload functionality allows attackers to upload and execute arbitrary PHP code, leading to complete server compromise and persistent backdoor install…

Vulnerability class: Unrestricted File Upload

EPSS: 0.001 (17.6th percentile) — read the EPSS interpretation.

Affected products

Emlog — versions < 2.6.11

Weakness classification (CWE)

CWE-434 — Unrestricted Upload of File with Dangerous Type

References

security-advisories@github.com (x_refsource_CONFIRM)