VYPR
← All advisories
Unrated severityNVD Advisory· Published May 29, 2026

CVE-2026-39276

CVE-2026-39276

Description

The template upload feature in Emlog Pro v2.6.9 has a path traversal vulnerability, allowing authenticated administrators to execute arbitrary PHP code. By uploading a malicious ZIP archive containing directory traversal sequences in filenames, an attacker can overwrite default template files or directly include malicious code files in the current template.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Authenticated administrators in Emlog Pro v2.6.9 are vulnerable to path traversal through template ZIP upload, leading to arbitrary PHP code execution.

Vulnerability

The template upload feature in Emlog Pro v2.6.9 (and all prior versions) contains a path traversal vulnerability ([1]). When an authenticated administrator uploads a malicious ZIP archive via /admin/template.php, the emUnZip() function does not sanitize filenames containing directory traversal sequences (e.g., ../). This allows files to be written outside the intended template directory, overwriting existing template files such as header.php or footer.php [1].

Exploitation

An attacker must have administrative access to the Emlog backend. The attacker crafts a ZIP archive with filenames that include ../ traversal sequences pointing to the target template directory. Upon uploading and extracting the archive through the template management interface, the system writes the payload files to the traversed location, overwriting legitimate default template files [1]. No additional user interaction beyond the admin's upload action is required.

Impact

Successful exploitation enables arbitrary PHP code execution with the web server's privileges. By overwriting a default template file (e.g., header.php), the attacker achieves full-site remote code execution (RCE), affecting all site visitors who load the compromised page. The malicious code persists within the template structure and may remain even after the uploaded template is deleted [1]. Attackers gain full server control and can insert backdoors for continued access.

Mitigation

No fixed version has been released by the vendor as of the report date [1]. Administrators should restrict backend access via IP allowlisting to reduce attack surface. Manual sanitization of ZIP archive filenames before extraction or disabling the template upload feature for untrusted ZIP files are interim workarounds [1]. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of publication.

References
  1. GitHub - LING12138-sg/Emlog-v2.6.9-Vulnerability-Report: Regarding CVE review

AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing filename sanitization in ZIP extraction allows directory traversal, enabling arbitrary file overwrite."

Attack vector

An authenticated administrator uploads a malicious ZIP archive via the backend template installation feature at `/admin/template.php`. The archive contains a valid template directory (to pass a superficial check for `header.php`) plus a file with a path traversal sequence such as `../default/header.php`. The system extracts the archive without sanitizing filenames, overwriting the default template's `header.php` with attacker-controlled PHP code. Any visitor to the site then triggers execution of the injected code, leading to remote code execution. [CWE-22] [ref_id=1]

Affected code

The vulnerability resides in the `emUnZip()` function in `/admin/template.php` (lines 69-105) and the extraction logic in `/include/lib/common.php` (lines 768-808). The `extractTo()` call at line 802 of `common.php` does not validate or sanitize filenames inside the ZIP archive, allowing directory traversal sequences like `../` to escape the intended template directory. [ref_id=1]

What the fix does

The advisory recommends three remediation measures: (1) resolve the absolute path with `realpath()` and verify it stays within `/content/templates/`; (2) strip or reject directory traversal sequences (`../`, `..\`) from filenames inside the ZIP; (3) iterate over all archive entries to whitelist allowed file extensions before extraction. No official patch has been published for Emlog Pro v2.6.9. [ref_id=1]

Preconditions

  • authAttacker must have valid administrator credentials for the Emlog backend
  • networkBackend template upload feature must be accessible (no IP restriction)
  • inputAttacker must craft a ZIP archive with a valid template directory and a traversal payload

Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.