Cyber Posture

CVE-2026-35174

Critical

Published: 06 April 2026

Published
06 April 2026
Modified
14 April 2026
KEV Added
Patch
CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0050 65.9th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Chyrp Lite is an ultra-lightweight blogging engine. Prior to 2026.01, a path traversal vulnerability exists in the administration console that allows an administrator or a user with Change Settings permission to change the uploads path to any folder. This vulnerability…

more

allows the user to download any file on the server, including config.json.php with database credentials and overwrite critical system files, leading to remote code execution. This vulnerability is fixed in 2026.01.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly addresses path traversal by requiring validation of user-supplied inputs like the uploads path to reject invalid traversals.

SI-2 Flaw Remediation good match
prevent

Ensures timely remediation of flaws like CVE-2026-35174 through identification, reporting, testing, and patching to version 2026.01.

AC-6 Least Privilege good match
prevent

Enforces least privilege to restrict Change Settings permission to only necessary users, preventing exploitation by malicious administrators or permitted users.

Security SummaryAI

CVE-2026-35174 is a path traversal vulnerability in Chyrp Lite, an ultra-lightweight blogging engine. The issue resides in the administration console, where versions prior to 2026.01 allow an administrator or a user with Change Settings permission to modify the uploads path to arbitrary directories on the server. This flaw, associated with CWE-22 (Path Traversal), CWE-73 (External Control of File Name or Path), and CWE-434 (Unrestricted Upload of File with Dangerous Type), enables unauthorized file access and manipulation, with a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

An attacker with administrator privileges or Change Settings permission can exploit this vulnerability remotely over the network with low complexity. By altering the uploads path, they can download sensitive files such as config.json.php containing database credentials, and overwrite critical system files, potentially achieving remote code execution on the server.

The vulnerability is addressed in Chyrp Lite version 2026.01. Security practitioners should upgrade to this patched release immediately, as detailed in the GitHub Security Advisory at https://github.com/xenocrat/chyrp-lite/security/advisories/GHSA-p6pf-2grm-8257.

Details

CWE(s)
CWE-22CWE-73CWE-434

Affected Products

chyrplite
chyrp lite
≤ 2026.01

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1083 File and Directory Discovery Discovery
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
attack.mitre.org →
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
attack.mitre.org →
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
attack.mitre.org →
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
attack.mitre.org →
Why these techniques?

Path traversal in public-facing web app (T1190) enables arbitrary file read (T1083, T1005), credential theft from config files (T1552.001), and web shell deployment for RCE (T1100).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References