CVE-2026-35174 - Vulnerability Details

- Chyrp Lite has a Path Traversal to Remote Code Execution

Description

Chyrp Lite is an ultra-lightweight blogging engine. Prior to 2026.01, a path traversal vulnerability exists in the administration console that allows an administrator or a user with Change Settings permission to change the uploads path to any folder. This vulnerability allows the user to download any file on the server, including config.json.php with database credentials and overwrite critical system files, leading to remote code execution. This vulnerability is fixed in 2026.01.

Published: 2026-04-06

Score: 9.1 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An attacker who can access the administration console of Chyrp Lite or obtain Change Settings permissions can alter the uploads path to any directory on the server. This path traversal flaw permits downloading arbitrary files, including sensitive configuration files that store database credentials, and the overwriting of critical system files. Such manipulation leads to complete control over the application, enabling the execution of arbitrary code on the host.

Affected Systems

The vulnerability affects instances of the Chyrp Lite blogging engine that are running versions prior to 2026.01. The vendor is Xenocrat, and the product name is Chyrp Lite.

Risk and Exploitability

The assessed CVSS score of 9.1 indicates a high severity condition, while the EPSS score of less than 1% suggests current exploitation attempts are rare. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires authenticated access to the admin area, but once granted, an attacker can trigger remote code execution by uploading malicious content or overwriting essential files. Given the potential impact and the availability of a patch, this flaw represents a critical risk for affected deployments.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

xenocrat

chyrp-lite

affected

Version	Status	Constraints
`< 2026.01`	affected	—

Configuration 1 [-]

cpe:2.3:a:chyrplite:chyrp_lite:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Xenocrat Project

Chyrp-lite

83%

Version	Status	Scheme	Platform
`[0,2026.01)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Chyrp Lite to version 2026.01 or later
Restrict Change Settings permissions to trusted administrators only
Verify file system permissions to ensure config.json.php and other critical files are not writable by the web server
Monitor the uploads directory for unauthorized modifications

Generated by OpenCVE AI on April 14, 2026 at 16:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00456.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/xenocrat/chyrp-lite/security/advisories/GHSA-p6pf-2grm-8257

History

Tue, 14 Apr 2026 15:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Chyrplite Chyrplite chyrp Lite
CPEs		cpe:2.3:a:chyrplite:chyrp_lite::::::::
Vendors & Products		Chyrplite Chyrplite chyrp Lite

Tue, 07 Apr 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 07 Apr 2026 09:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Xenocrat Project Xenocrat Project chyrp-lite
Vendors & Products		Xenocrat Project Xenocrat Project chyrp-lite

Mon, 06 Apr 2026 20:00:00 +0000

Type	Values Removed	Values Added
Description		Chyrp Lite is an ultra-lightweight blogging engine. Prior to 2026.01, a path traversal vulnerability exists in the administration console that allows an administrator or a user with Change Settings permission to change the uploads path to any folder. This vulnerability allows the user to download any file on the server, including config.json.php with database credentials and overwrite critical system files, leading to remote code execution. This vulnerability is fixed in 2026.01.
Title		Chyrp Lite has a Path Traversal to Remote Code Execution
Weaknesses		CWE-22 CWE-434 CWE-73
References		https://github.com/xenocrat/chyrp-lite/security/advisories/GHSA-p6pf-2grm-8257
Metrics		cvssV3_1 `{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}`

Subscriptions

Chyrplite Chyrp Lite

Xenocrat Project Chyrp-lite

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-06T17:50:04.544Z

Updated: 2026-04-07T14:38:40.034Z

Reserved: 2026-04-01T17:26:21.133Z

Link: CVE-2026-35174

Vulnrichment

Updated: 2026-04-07T14:38:36.147Z

NVD

Status : Analyzed

Published: 2026-04-06T18:16:43.677

Modified: 2026-04-14T15:37:14.427

Link: CVE-2026-35174

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-14T16:41:12Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object