CVE-2026-35173 - Vulnerability Details

- Chyrp Lite has an IDOR via Mass Assignment in Post Model

Description

Chyrp Lite is an ultra-lightweight blogging engine. Prior to 2026.01, an IDOR / Mass Assignment issue exists in the Post model that allows authenticated users with post editing permissions (Edit Post, Edit Draft, Edit Own Post, Edit Own Draft) to modify posts they do not own and do not have permission to edit. By passing internal class properties such as id into the post_attributes payload, an attacker can alter the object being instantiated. As a result, further actions are performed on another user’s post rather than the attacker’s own post, effectively enabling post takeover. This vulnerability is fixed in 2026.01.

Published: 2026-04-06

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Chyrp Lite, an ultra‑lightweight blogging engine, contains an IDOR that is exploitable through mass assignment in the Post model. Authenticated users who have any post‑editing privilege can pass internal class properties such as the post id in the post_attributes payload. When supplied, the framework instantiates the target post instead of the user’s own, allowing the attacker to modify or delete content belonging to another user. This flaw effectively results in post takeover and loss of content integrity.

Affected Systems

The issue is present in all releases of Xenocrat’s Chyrp Lite before the 2026.01 update. Any deployment that includes versions from the original release up to, but not including, 2026.01 is affected, as identified by the generic CPE identifier cpe:2.3:a:chyrplite:chyrp_lite:*:*:*:*:*:*:*:*.

Risk and Exploitability

The CVSS score of 6.5 classifies the vulnerability as medium severity, but the EPSS probability is below 1%, indicating a low likelihood of widespread exploitation. The flaw is only reachable to users who can authenticate and possess post editing permissions, so attackers would need valid credentials. The flaw is not listed in the CISA KEV catalog, further suggesting that no publicly known exploits are actively targeting this weakness.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

xenocrat

chyrp-lite

affected

Version	Status	Constraints
`< 2026.01`	affected	—

Configuration 1 [-]

cpe:2.3:a:chyrplite:chyrp_lite:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Xenocrat Project

Chyrp-lite

83%

Version	Status	Scheme	Platform
`[0,2026.01)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Chyrp Lite to 2026.01 or newer
Verify that only authorized users have Edit Post permissions
Audit logs for unexpected edit activity

Generated by OpenCVE AI on April 14, 2026 at 16:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00026.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/xenocrat/chyrp-lite/security/advisories/GHSA-8c3h-rh2j-fxr9

History

Tue, 14 Apr 2026 15:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Chyrplite Chyrplite chyrp Lite
CPEs		cpe:2.3:a:chyrplite:chyrp_lite::::::::
Vendors & Products		Chyrplite Chyrplite chyrp Lite

Tue, 07 Apr 2026 09:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Xenocrat Project Xenocrat Project chyrp-lite
Vendors & Products		Xenocrat Project Xenocrat Project chyrp-lite

Mon, 06 Apr 2026 20:00:00 +0000

Type	Values Removed	Values Added
Description		Chyrp Lite is an ultra-lightweight blogging engine. Prior to 2026.01, an IDOR / Mass Assignment issue exists in the Post model that allows authenticated users with post editing permissions (Edit Post, Edit Draft, Edit Own Post, Edit Own Draft) to modify posts they do not own and do not have permission to edit. By passing internal class properties such as id into the post_attributes payload, an attacker can alter the object being instantiated. As a result, further actions are performed on another user’s post rather than the attacker’s own post, effectively enabling post takeover. This vulnerability is fixed in 2026.01.
Title		Chyrp Lite has an IDOR via Mass Assignment in Post Model
Weaknesses		CWE-639 CWE-914
References		https://github.com/xenocrat/chyrp-lite/security/advisories/GHSA-8c3h-rh2j-fxr9
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Subscriptions

Chyrplite Chyrp Lite

Xenocrat Project Chyrp-lite

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-06T17:48:52.681Z

Updated: 2026-04-06T18:47:56.696Z

Reserved: 2026-04-01T17:26:21.133Z

Link: CVE-2026-35173

Vulnrichment

Updated: 2026-04-06T18:47:52.905Z

NVD

Status : Analyzed

Published: 2026-04-06T18:16:43.523

Modified: 2026-04-14T15:36:44.207

Link: CVE-2026-35173

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-14T16:41:13Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object