{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35174", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-01T17:26:21.133Z", "datePublished": "2026-04-06T17:50:04.544Z", "dateUpdated": "2026-04-06T17:50:04.544Z"}, "containers": {"cna": {"title": "Chyrp Lite has a Path Traversal to Remote Code Execution", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-73", "lang": "en", "description": "CWE-73: External Control of File Name or Path", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-434", "lang": "en", "description": "CWE-434: Unrestricted Upload of File with Dangerous Type", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/xenocrat/chyrp-lite/security/advisories/GHSA-p6pf-2grm-8257", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/xenocrat/chyrp-lite/security/advisories/GHSA-p6pf-2grm-8257"}], "affected": [{"vendor": "xenocrat", "product": "chyrp-lite", "versions": [{"version": "< 2026.01", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T17:50:04.544Z"}, "descriptions": [{"lang": "en", "value": "Chyrp Lite is an ultra-lightweight blogging engine. Prior to 2026.01, a path traversal vulnerability exists in the administration console that allows an administrator or a user with Change Settings permission to change the uploads path to any folder. This vulnerability allows the user to download any file on the server, including config.json.php with database credentials and overwrite critical system files, leading to remote code execution. This vulnerability is fixed in 2026.01."}], "source": {"advisory": "GHSA-p6pf-2grm-8257", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Chyrp Lite is an ultra-lightweight blogging engine. Prior to 2026.01, a path traversal vulnerability exists in the administration console that allows an administrator or a user with Change Settings permission to change the uploads path to any folder. This vulnerability allows the user to download any file on the server, including config.json.php with database credentials and overwrite critical system files, leading to remote code execution. This vulnerability is fixed in 2026.01."}], "id": "CVE-2026-35174", "lastModified": "2026-04-06T18:16:43.677", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-06T18:16:43.677", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/xenocrat/chyrp-lite/security/advisories/GHSA-p6pf-2grm-8257"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-73"}, {"lang": "en", "value": "CWE-434"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2026.01)"}}], "enrichment": {"confidence": 83.0, "confidence_source": "matching", "scores": [{"score": 83.0, "source": "matching"}]}, "original": {"product": "chyrp-lite", "source": "cna", "vendor": "xenocrat"}, "product": "chyrp-lite", "vendor": "xenocrat_project"}], "analysis": {"en": {"generated_at": "2026-04-07T02:21:02.462295+00:00", "value": {"mitigation_remediation": ["Upgrade to Chyrp Lite 2026.01 or later, where the upload path validation has been corrected.", "Restrict Change Settings permission to a minimal number of trusted administrators until the upgrade is performed.", "As a temporary measure, configure the upload directory to a protected location outside the web root and ensure it is not writable by the web server."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Chyrp Lite, an ultra\u2011lightweight blogging engine developed by xenocrat, is impacted on all releases prior to version 2026.01. Users running the affected versions with an enabled administration console should be aware that the vulnerability lies in the upload path configuration feature that can be modified by administrators or users granted Change Settings permission.", "description_and_impact": "An improper handling of file paths in the Chyrp Lite administration console allows an authenticated administrator or a user with Change Settings permission to supply a relative path that resolves outside the intended uploads directory. By altering this path to reference arbitrary filesystem locations, the attacker can read protected files such as config.json.php, exposing database credentials, and subsequently overwrite critical files on the server. The resulting write operation enables the exploitation of the site to execute arbitrary code, granting full control over the underlying system.", "risk_and_exploitability": "The severity score of 9.1 classifies this flaw as critical, and the absence of an EPSS entry suggests limited publicly documented exploitation but that does not mitigate the risk. Since the flaw requires authenticated access to the admin console with sufficient privilege, the attack vector is insider or compromised administrator credentials. However, once in place, the vulnerability allows unrestricted file read/write, culminating in remote code execution. This poses an enterprise\u2011impact threat, especially for sites that store sensitive data or host user uploads."}}}}, "created": "2026-04-07T06:54:50.435051+00:00", "updated": "2026-04-07T09:37:55.358260+00:00", "vendors": ["xenocrat_project", "xenocrat_project$PRODUCT$chyrp-lite"]}