CVE-2026-31954

Published: Mar 11, 2026Modified: Mar 17, 2026

7.3

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H

Exploitability: 2.1 / Impact: 5.2

Source: NVD

Description

Emlog is an open source website building system. In 2.6.6 and earlier, the delete_async action (asynchronous delete) lacks a call to LoginAuth::checkToken(), enabling CSRF attacks.

Affected (1)

Products: Emlog: Emlog

Emlog

1 product

Emlog

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Emlog Emlog	Up to 2.6.6

Related CWEs

CWE-352

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References (1)

https://github.com/emlog/emlog/security/advisories/GHSA-xc26-93qj-rcrw

Source: security-advisories@github.com

ExploitVendor Advisory

Timeline

No history available yet.