PT-2026-60533 · Emlog · Emlog
CVE-2026-46687
·
Published
2026-07-16
·
Updated
2026-07-16
CVSS v4.0
7.7
High
| Vector | AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
Emlog is an open source website building system. In 2.6.13 and earlier, the article publishing interface stores a path-traversal template parameter from api controller.php without validation, and log controller.php later checks file exists and calls include View::getView($template), allowing an authenticated author to include an arbitrary local .php file when an article is viewed. No fixed version is currently identified.
Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Emlog