Description
SQL Injection vulnerability in Chyrp v.2.5.2 and before allows a remote attacker to obtain sensitive information via the Admin.php component
Published: 2026-03-16
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Databases Retrieval
Action: Apply Patch
AI Analysis

Impact

A SQL Injection flaw exists in the Admin.php component of Chyrp CMS version 2.5.2 and older. The vulnerability is a classic example of CWE‑89, allowing a remote attacker to inject malicious SQL statements that can read or exfiltrate sensitive data from the database. The impact is direct data disclosure, potentially exposing user credentials, posts, or other confidential information, without providing control over the server or writable access beyond the database layer.

Affected Systems

Chyrp CMS (cpe:2.3:a:chyrp:chyrp:*:*:*:*:*:*:*) affected in all releases up to and including version 2.5.2. No specific patch version is listed, and the vendor is not identified.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity. The EPSS score of less than 1% suggests a low probability of actual exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw remotely by crafting a SQL payload to the Admin.php endpoint. Successful exploitation grants read‑only access to the underlying database, allowing information disclosure but not arbitrary code execution.

Generated by OpenCVE AI on March 20, 2026 at 14:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply official patch to Chyrp once available
  • If a patch is not yet released, restrict access to the Admin.php interface to trusted IPs or authenticated users only
  • Continuously monitor web server logs for unusual SQL usage patterns or authentication attempts

Generated by OpenCVE AI on March 20, 2026 at 14:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Title SQL Injection in Chyrp Admin Component Allows Remote Data Retrieval

Fri, 20 Mar 2026 13:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:chyrp:chyrp:*:*:*:*:*:*:*:*

Tue, 17 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Chyrp
Chyrp chyrp
Vendors & Products Chyrp
Chyrp chyrp

Mon, 16 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
Description SQL Injection vulnerability in Chyrp v.2.5.2 and before allows a remote attacker to obtain sensitive information via the Admin.php component
References

Subscriptions

Chyrp Chyrp
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-16T18:58:26.256Z

Reserved: 2026-01-09T00:00:00.000Z

Link: CVE-2025-69768

cve-icon Vulnrichment

Updated: 2026-03-16T18:56:47.519Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T18:16:04.780

Modified: 2026-03-20T13:34:56.290

Link: CVE-2025-69768

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T14:01:00Z

Weaknesses