HarborGuard / CVE
Back to search
HIGHCVE-2026-39276Published Modified CNA mitre

CVE-2026-39276: The template upload feature in Emlog Pro v2

The template upload feature in Emlog Pro v2.6.9 has a path traversal vulnerability, allowing authenticated administrators to execute arbitrary PHP code. By uploading a malicious ZIP archive containing directory traversal sequences in filenames, an attacker can overwrite default template files or directly include malicious code files in the current template.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A path traversal flaw in the template upload feature of Emlog Pro v2.6.9 lets an authenticated administrator upload a ZIP archive whose entry filenames contain directory traversal sequences. The bug is reachable over the network and requires an administrator account, no victim interaction needed. Successful exploitation overwrites default template files or drops attacker-controlled PHP into the current template, giving full remote code execution on the server. No upstream fix has been published; HarborGuard tracks the advisory and will make a patched rebuild available the moment a fixed version ships.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against Emlog Pro layers in customer registries and CI pipelines, including custom-built images that bundle the application.

Available
Triage

Triage is available with the published CVSS 7.imes 3.1 score of 7.2 (High) applied as the baseline, then reweighted by each customer's compliance policy (for example, internet-exposed admin panels can be escalated) before routing to the appropriate inbox inside the customer org.

Available
Patch

No upstream fix exists yet, so HarborGuard re-checks the Emlog Pro advisory on every ingest cycle. The moment a fixed release is published, a patched-image rebuild becomes available, and customers with auto-remediation enabled get a rebuild, a regression-test run, and a PR opened against affected workloads.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Emlog Pro admin interface over the network (AV:N).

  • AuthenticationRequired

    An administrator account is needed to access the template upload feature (PR:H).

  • Victim interactionNot required

    No user has to click or open anything; the attacker drives the upload directly (UI:N).

  • Attack complexityDetail

    Attack complexity is low: crafting a ZIP with traversal sequences in filenames is reliable and condition-free (AC:L).

Blast Radius

  • Writes attacker-controlled PHP files into the web root, leading to arbitrary code execution under the web server account.
  • Overwrites legitimate template files, tampering with site content and persisting a backdoor across sessions.
  • Reads any data the PHP process can reach, including database credentials, stored posts, and user records.
  • Disrupts availability by corrupting template files the application needs to render pages.

How HarborGuard Handles This

Available on HarborGuard: continuous monitoring of the Emlog Pro advisory until an upstream fix lands, with the patched-image rebuild auto-published the moment a fixed version ships. In the meantime, compensating-control guidance is surfaced for affected environments, including restricting admin-panel exposure via network policy, enforcing strong admin credentials and MFA at the ingress, and egress filtering from the application container to limit post-exploitation reach. For customers who opt into auto-remediation, the rebuild plus regression run plus PR flow triggers automatically once the fix is released, with a typical median time from upstream fix publication to merged patch PR of around 90 minutes for high-severity issues.

See how HarborGuard automates this

Metrics

CVSS v3.1
7.2
Severity
HIGH
Fixed in
Affected Products
1
Affected packages
  • n/a / n/a
    n/a
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
References