CVE-2026-46687

Source
https://cve.org/CVERecord?id=CVE-2026-46687
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46687.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-46687
Aliases
  • GHSA-9h6g-q584-9vfg
Published
2026-07-16T17:01:31.147Z
Modified
2026-07-18T03:41:43.708929904Z
Severity
  • 7.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
Emlog Local File Inclusion (LFI)
Details

Emlog is an open source website building system. In 2.6.13 and earlier, the article publishing interface stores a path-traversal template parameter from apicontroller.php without validation, and logcontroller.php later checks file_exists and calls include View::getView($template), allowing an authenticated author to include an arbitrary local .php file when an article is viewed. No fixed version is currently identified.

Database specific
{
    "cwe_ids": [
        "CWE-24",
        "CWE-98"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46687.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/emlog/emlog

Affected ranges

Type
GIT
Repo
https://github.com/emlog/emlog
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.6.13"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

5.*
5.3.1
6.*
6.0.0
6.1.0
Other
ci
pro-test-01
pro-test-02
emlog_5.*
emlog_5.1.2
emlog_5.2.0
emlog_5.2.1
emlog_5.3.0
pro-1.*
pro-1.0.0
pro-1.0.1
pro-1.0.2
pro-1.0.3
pro-1.0.4
pro-1.0.5
pro-1.0.6
pro-1.0.7
pro-1.0.8
pro-1.1.0
pro-1.1.1
pro-1.2.0
pro-1.2.1
pro-1.2.2
pro-1.3.0
pro-1.3.1
pro-1.4.0
pro-1.5.0
pro-1.5.0.new
pro-1.5.1
pro-1.6.0
pro-1.7.0
pro-1.7.1
pro-1.8.0
pro-1.9.0
pro-1.9.1
pro-1.9.2
pro-1.9.3
pro-2.*
pro-2.0.0
pro-2.0.1
pro-2.0.2
pro-2.0.3
pro-2.1.0
pro-2.1.1
pro-2.1.10
pro-2.1.11
pro-2.1.12
pro-2.1.13
pro-2.1.14
pro-2.1.15
pro-2.1.2
pro-2.1.3
pro-2.1.4
pro-2.1.5
pro-2.1.6
pro-2.1.7
pro-2.1.8
pro-2.1.9
pro-2.2.0
pro-2.2.1
pro-2.2.10
pro-2.2.11
pro-2.2.2
pro-2.2.3
pro-2.2.4
pro-2.2.5
pro-2.2.6
pro-2.2.7
pro-2.2.8
pro-2.2.9
pro-2.3.0
pro-2.3.1
pro-2.3.10
pro-2.3.11
pro-2.3.12
pro-2.3.13
pro-2.3.14
pro-2.3.15
pro-2.3.16
pro-2.3.17
pro-2.3.18
pro-2.3.2
pro-2.3.4
pro-2.3.5
pro-2.3.6
pro-2.3.7
pro-2.3.8
pro-2.3.9
pro-2.4.0
pro-2.4.1
pro-2.4.2
pro-2.4.3
pro-2.5.1
pro-2.5.10
pro-2.5.11
pro-2.5.12
pro-2.5.13
pro-2.5.14
pro-2.5.15
pro-2.5.16
pro-2.5.17
pro-2.5.18
pro-2.5.19
pro-2.5.2
pro-2.5.20
pro-2.5.21
pro-2.5.22
pro-2.5.23
pro-2.5.24
pro-2.5.25
pro-2.5.26
pro-2.5.3
pro-2.5.4
pro-2.5.5
pro-2.5.6
pro-2.5.7
pro-2.5.8
pro-2.5.9
pro-2.6.0
pro-2.6.1
pro-2.6.10
pro-2.6.11
pro-2.6.12
pro-2.6.13
pro-2.6.2
pro-2.6.3
pro-2.6.4
pro-2.6.5
pro-2.6.6
pro-2.6.7
pro-2.6.8
pro-2.6.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46687.json"