CVE-2026-22799

Name of the Vulnerable Software and Affected Versions Emlog versions prior to 2.6.1

Description Emlog is a website building system. Versions prior to 2.6.1 expose a REST API endpoint ('/index.php?rest-api=upload') for media file uploads. This endpoint does not properly validate file types, extensions, or content, allowing authenticated attackers with a valid API key or admin session cookie to upload arbitrary files, including malicious PHP scripts. Once uploaded, these files can be executed, potentially leading to remote code execution (RCE) and full server compromise. Attackers can obtain the API key by gaining administrator access or through information disclosure vulnerabilities within the application.

Recommendations Versions prior to 2.6.1 should be updated to version 2.6.1 or later.