CVE-2026-22799HIGH 8.8EPSS p45.3%

CVE-2026-22799CVE-2026-22799

Description

Emlog is an open source website building system. emlog v2.6.1 and earlier exposes a REST API endpoint (/index.php?rest-api=upload) for media file uploads. The endpoint fails to implement proper validation of file types, extensions, and content, allowing authenticated attackers (with a valid API key or admin session cookie) to upload arbitrary files (including malicious PHP scripts) to the server. An attacker can obtain the API key either by gaining administrator access to enable the REST API setting, or via information disclosure vulnerabilities in the application. Once uploaded, the malicious PHP file can be executed to gain remote code execution (RCE) on the target server, leading to full server compromise.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.63% probability of exploitation · percentile 45.3% · 2026-06-18T12:00:27Z
Published2026-01-12
Last modified2026-01-21

Underlying weaknesses· 1

CWE-434

References

  1. https://github.com/emlog/emlog/commit/429b02fda842254b9b9b39303e9161999c180560
  2. https://github.com/emlog/emlog/security/advisories/GHSA-p837-mrw9-5x5j
  3. https://github.com/emlog/emlog/security/advisories/GHSA-p837-mrw9-5x5j

1

TypeTargetConfidenceTier
WeaknessUnrestricted Upload of File with Dangerous Typecwe-4340%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-29401
CVE
CVE-2025-47787
CVE
CVE-2025-25783
CVE
CVE-2026-39276
CVE
CVE-2025-47785
CVE
CVE-2025-9296
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.