CVE-2026-34607 Overview
CVE-2026-34607 is a path traversal vulnerability in Emlog, an open source website building system. The flaw affects versions 2.6.2 and prior. The emUnZip() function in include/lib/common.php at line 793 calls $zip->extractTo($path) without sanitizing ZIP entry names. An authenticated administrator can upload a crafted ZIP archive containing entries with ../ sequences through plugin uploads, template uploads, or backup imports. This allows arbitrary file writes anywhere on the server filesystem, including PHP webshells, leading to Remote Code Execution (RCE). No patches are publicly available at the time of publication.
Critical Impact
Authenticated administrators can write arbitrary files to the server filesystem, including PHP webshells, achieving Remote Code Execution under the web server account.
Affected Products
- Emlog Pro versions 2.6.2 and prior
- Emlog plugin upload functionality
- Emlog template upload and backup import features
Discovery Timeline
- 2026-04-03 - CVE-2026-34607 published to NVD
- 2026-04-13 - Last updated in NVD database
Technical Details for CVE-2026-34607
Vulnerability Analysis
The vulnerability resides in the emUnZip() helper located at include/lib/common.php:793. This function handles ZIP archive extraction for multiple administrative workflows including plugin installation, template installation, and backup restoration. The function passes a destination path directly to PHP's ZipArchive::extractTo() method without validating or sanitizing entry filenames within the archive.
The weakness is classified as [CWE-22] Improper Limitation of a Pathname to a Restricted Directory. PHP's extractTo() does not reject entries containing parent directory references by default. An attacker who controls archive contents can include entries such as ../../../../var/www/html/shell.php, which the extraction routine writes outside the intended directory.
Because the upload endpoints require administrator privileges, exploitation requires a valid admin session or credentials. Once those are obtained, the attacker achieves code execution under the web server user.
Root Cause
The root cause is missing input validation on ZIP entry names before extraction. The code accepts archive metadata as trusted input and relies on the extraction library to enforce filesystem boundaries. PHP's ZipArchive class does not perform this check, so traversal sequences in entry names are written to disk relative to the extraction root.
Attack Vector
An authenticated administrator uploads a crafted ZIP archive through the plugin upload, template upload, or backup import interface. The archive contains one or more entries whose filenames begin with ../ sequences that resolve to web-accessible directories. After upload, the server calls emUnZip(), which extracts the malicious entries to attacker-chosen locations. The attacker then requests the dropped PHP file through the web server to execute arbitrary commands.
The vulnerability mechanism is described in detail in the GitHub Security Advisory GHSA-2jg8-rmhm-xv9m. No verified proof-of-concept code is referenced in the advisory.
Detection Methods for CVE-2026-34607
Indicators of Compromise
- New or modified PHP files in unexpected directories outside content/plugins/ or content/templates/, particularly files created shortly after a plugin or template upload event.
- ZIP archives uploaded through /admin/plugin.php, /admin/template.php, or backup import endpoints containing entries with ../ sequences in filenames.
- Web server processes spawning shell interpreters such as sh, bash, cmd.exe, or powershell.exe from PHP execution contexts.
- Unexpected outbound network connections from the web server immediately after administrative upload activity.
Detection Strategies
- Inspect Emlog upload logs for ZIP files submitted to plugin, template, or backup endpoints and correlate with file creation events on disk.
- Run filesystem integrity monitoring across the web root and parent directories to alert on new PHP files outside expected installation paths.
- Statically scan uploaded ZIP archives for entry names containing ../, absolute paths, or null bytes before they reach emUnZip().
Monitoring Recommendations
- Enable detailed audit logging for all administrative actions in Emlog, including upload source IP, account, and uploaded filename.
- Monitor web server process trees for child processes that indicate webshell execution following file uploads.
- Alert on writes to PHP files in directories that should be static, such as include/, admin/, and the document root.
How to Mitigate CVE-2026-34607
Immediate Actions Required
- Restrict administrative access to Emlog to trusted networks or VPN-only sources until a vendor patch is released.
- Rotate all administrator credentials and enforce strong, unique passwords with multi-factor authentication where available.
- Audit the Emlog installation directory and parent paths for unauthorized PHP files and remove any unknown artifacts.
- Disable plugin, template, and backup import functionality if these features are not actively required.
Patch Information
No official patch is available at the time of publication. Track the Emlog GitHub Security Advisory GHSA-2jg8-rmhm-xv9m for updates. Once a fixed release is published by the vendor, upgrade Emlog immediately and verify the integrity of all extraction routines.
Workarounds
- Configure the web server to deny PHP execution in directories that receive uploaded content, limiting webshell impact if traversal succeeds.
- Apply restrictive filesystem permissions so the PHP-FPM or web server user cannot write to directories outside content/uploadfile/.
- Place a web application firewall rule in front of Emlog to inspect uploaded ZIP archives and block those containing entries with ../ sequences.
- Run Emlog under a dedicated low-privilege account and apply mandatory access controls such as SELinux or AppArmor to constrain write paths.
# Example Apache configuration to block PHP execution in writable directories
<Directory "/var/www/emlog/content/uploadfile">
php_admin_flag engine off
<FilesMatch "\.ph(p[3-7]?|tml|ar)$">
Require all denied
</FilesMatch>
</Directory>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

