PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46687 emlog CVE debrief

CVE-2026-46687 is a path-traversal vulnerability in Emlog 2.6.13 and earlier. The article publishing interface stores a path-traversal template parameter without validation. Later, log_controller.php checks file_exists and calls include View::getView($template), allowing an authenticated author to include an arbitrary local .php file when an article is viewed. This vulnerability has a high CVSS score of 7.7, indicating a high severity. The vulnerability is caused by the lack of validation in the article publishing interface, which allows an authenticated author to exploit this vulnerability. No fixed version is currently identified.

Vendor
emlog
Product
Unknown
CVSS
HIGH 7.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-16
Original CVE updated
2026-07-16
Advisory published
2026-07-16
Advisory updated
2026-07-16

Who should care

Users of Emlog 2.6.13 and earlier, especially those with authenticated author roles, should be aware of this vulnerability. They should review the vulnerability details and take necessary actions to protect their systems. Additionally, security teams and vulnerability management teams should also be aware of this vulnerability and review the affected scope, severity, and vendor guidance.

Technical summary

The vulnerability exists in the article publishing interface of Emlog 2.6.13 and earlier. An authenticated author can exploit this by providing a path-traversal template parameter, which is later used to include an arbitrary local .php file when an article is viewed. This is possible because the log_controller.php file checks for file existence using file_exists and then calls include View::getView($template) without proper validation. The vulnerability has a high CVSS score of 7.7, indicating a high severity.

Defensive priority

High priority due to the high CVSS score of 7.7 and the potential for authenticated authors to exploit this vulnerability.

Recommended defensive actions

  • Inventory and verify Emlog version
  • Restrict access to article publishing interface
  • Implement input validation and sanitization
  • Monitor for suspicious activity
  • Consider upgrading to a fixed version when available
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-16T18:16:44.203Z and was last modified on 2026-07-16T19:16:48.467Z. The NVD entry is currently in the 'Received' status. The vulnerability details are based on the information provided in the CVE record and NVD entry. However, the information is limited, and defenders should verify the affected scope, severity, and vendor guidance. The CVE record and NVD entry provide the most accurate and up-to-date information on this vulnerability.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T18:16:44.203Z and has not been modified since then. The NVD entry is currently Received.