Description
Chyrp Lite is an ultra-lightweight blogging engine. Prior to 2026.01, an IDOR / Mass Assignment issue exists in the Post model that allows authenticated users with post editing permissions (Edit Post, Edit Draft, Edit Own Post, Edit Own Draft) to modify posts they do not own and do not have permission to edit. By passing internal class properties such as id into the post_attributes payload, an attacker can alter the object being instantiated. As a result, further actions are performed on another user’s post rather than the attacker’s own post, effectively enabling post takeover. This vulnerability is fixed in 2026.01.
Published: 2026-04-06
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Post Modification
Action: Patch
AI Analysis

Impact

This vulnerability enables an authenticated user with any post editing permission to modify content that belongs to other users. By including internal class properties such as the post ID in a post_attributes payload, the attacker can instantiate a Post object that references another user's entry, effectively taking over that content through a typical IDOR combined with mass assignment.

Affected Systems

The issue impacts Chyrp Lite from xenocrat. Any installation running a version before 2026.01 is vulnerable, while releases from 2026.01 onward contain the fix.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. Because the flaw requires the attacker to be an authenticated user with post editing rights, the attack scope is limited to users who can edit content. No publicly disclosed exploits exist, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog. Exploitation is straightforward for users with the necessary permissions: they can craft a payload that includes the target post ID, override the binding, and repurpose the content. Preventive measures involve upgrading to the patched version or restricting edit privileges for untrusted users.

Generated by OpenCVE AI on April 7, 2026 at 02:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chyrp Lite to version 2026.01 or later.

Generated by OpenCVE AI on April 7, 2026 at 02:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Xenocrat Project
Xenocrat Project chyrp-lite
Vendors & Products Xenocrat Project
Xenocrat Project chyrp-lite

Mon, 06 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Description Chyrp Lite is an ultra-lightweight blogging engine. Prior to 2026.01, an IDOR / Mass Assignment issue exists in the Post model that allows authenticated users with post editing permissions (Edit Post, Edit Draft, Edit Own Post, Edit Own Draft) to modify posts they do not own and do not have permission to edit. By passing internal class properties such as id into the post_attributes payload, an attacker can alter the object being instantiated. As a result, further actions are performed on another user’s post rather than the attacker’s own post, effectively enabling post takeover. This vulnerability is fixed in 2026.01.
Title Chyrp Lite has an IDOR via Mass Assignment in Post Model
Weaknesses CWE-639
CWE-914
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Xenocrat Project Chyrp-lite
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-06T18:47:56.696Z

Reserved: 2026-04-01T17:26:21.133Z

Link: CVE-2026-35173

cve-icon Vulnrichment

Updated: 2026-04-06T18:47:52.905Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-04-06T18:16:43.523

Modified: 2026-04-07T13:20:11.643

Link: CVE-2026-35173

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T09:37:56Z

Weaknesses