Emlog 2.6.6 and earlier allows CSRF attacks through delete operation

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

0.0

Emlog 2.6.6 and earlier allows CSRF attacks through delete operation

CVE-2026-31954

Summary

Emlog's website building system has a security issue in its delete feature, making it possible for hackers to trick users into deleting content they shouldn't. This could lead to data loss or disruption of the website. Update to the latest version of Emlog to fix this issue.

Original title

Emlog is an open source website building system. In 2.6.6 and earlier, the delete_async action (asynchronous delete) lacks a call to LoginAuth::checkToken(), enabling CSRF attacks.

Original description

Emlog is an open source website building system. In 2.6.6 and earlier, the delete_async action (asynchronous delete) lacks a call to LoginAuth::checkToken(), enabling CSRF attacks.

nvd CVSS3.1 0.0

Vulnerability type

CWE-352 Cross-Site Request Forgery (CSRF)

https://github.com/emlog/emlog/security/advisories/GHSA-xc26-93qj-rcrw

Published: 11 Mar 2026 · Updated: 13 Mar 2026 · First seen: 11 Mar 2026