Cyber Posture

CVE-2026-22799

HighPublic PoC

Published: 12 January 2026

Published
12 January 2026
Modified
21 January 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0039 60.1th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Emlog is an open source website building system. emlog v2.6.1 and earlier exposes a REST API endpoint (/index.php?rest-api=upload) for media file uploads. The endpoint fails to implement proper validation of file types, extensions, and content, allowing authenticated attackers (with a…

more

valid API key or admin session cookie) to upload arbitrary files (including malicious PHP scripts) to the server. An attacker can obtain the API key either by gaining administrator access to enable the REST API setting, or via information disclosure vulnerabilities in the application. Once uploaded, the malicious PHP file can be executed to gain remote code execution (RCE) on the target server, leading to full server compromise.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Enforces comprehensive validation of information inputs, including file types, extensions, and content in the REST API upload endpoint, directly preventing unrestricted arbitrary file uploads.

SI-2 Flaw Remediation good match
prevent

Requires timely flaw remediation through patching the specific unrestricted upload vulnerability in Emlog v2.6.1 and earlier.

CM-7 Least Functionality good match
prevent

Limits system functionality by disabling unused REST API upload endpoints, eliminating exposure to the vulnerable media upload feature.

Security SummaryAI

CVE-2026-22799 is an unrestricted upload vulnerability in Emlog, an open source website building system, affecting versions 2.6.1 and earlier. The issue stems from the exposed REST API endpoint at /index.php?rest-api=upload, which handles media file uploads without proper validation of file types, extensions, or content. This flaw, mapped to CWE-434 (Unrestricted Upload of File with Dangerous Type), carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-01-12.

Authenticated attackers with a valid API key or admin session cookie can exploit the endpoint to upload arbitrary files, including malicious PHP scripts, to the server. The API key may be obtained by gaining administrator access to enable the REST API setting or through separate information disclosure vulnerabilities in Emlog. Once uploaded, the PHP file can be executed to achieve remote code execution (RCE), resulting in full server compromise.

Mitigation details are provided in the GitHub security advisory at https://github.com/emlog/emlog/security/advisories/GHSA-p837-mrw9-5x5j and a patching commit at https://github.com/emlog/emlog/commit/429b02fda842254b9b9b39303e9161999c180560. Security practitioners should update to a patched version of Emlog, disable the REST API if unused, and audit for exposed API keys or admin credentials.

Details

CWE(s)
CWE-434

Affected Products

emlog
emlog
≤ 2.6.1

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
attack.mitre.org →
Why these techniques?

Unrestricted file upload in public-facing web application (Emlog REST API) enables exploitation of public-facing application (T1190) and deployment of web shells via malicious PHP scripts for RCE (T1505.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References