CVE-2026-31954 | THREATINT

Description

Emlog is an open source website building system. In 2.6.6 and earlier, the delete_async action (asynchronous delete) lacks a call to LoginAuth::checkToken(), enabling CSRF attacks.

PUBLISHED Reserved 2026-03-10 | Published 2026-03-11 | Updated 2026-03-12 | Assigner GitHub_M

Problem types

CWE-352: Cross-Site Request Forgery (CSRF)

Product status

<= 2.6.6

affected

References

github.com/.../emlog/security/advisories/GHSA-xc26-93qj-rcrw

cve.org (CVE-2026-31954)

nvd.nist.gov (CVE-2026-31954)

Download JSON