Platform
php
Component
chyrp-lite
Fixed in
2026.01
CVE-2026-35173 describes an Insecure Direct Object Reference (IDOR) / Mass Assignment vulnerability discovered in Chyrp Lite, an ultra-lightweight blogging engine. This flaw allows authenticated users with post editing permissions to modify posts belonging to other users, potentially leading to complete post takeover. The vulnerability impacts versions of Chyrp Lite prior to 2026.01 and has been resolved in version 2026.01.
An attacker exploiting this IDOR vulnerability can gain unauthorized access and modification privileges over other users' blog posts. By manipulating internal class properties like the 'id' within the post_attributes payload, an attacker can trick the application into operating on a different user's post instead of their own. This allows them to alter content, delete posts, or even impersonate the original author. The blast radius extends to all users with post editing permissions, as any user could potentially be targeted. This vulnerability is particularly concerning for shared hosting environments where multiple blogs reside on the same server, increasing the potential for widespread impact.
CVE-2026-35173 was publicly disclosed on April 6, 2026. As of this writing, there is no public proof-of-concept available. The vulnerability's severity is assessed as MEDIUM. It is not currently listed on the CISA KEV catalog. Active exploitation is not confirmed, but the ease of exploitation given authenticated access suggests a potential risk.
Exploit Status
EPSS
0.03% (7% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-35173 is to upgrade Chyrp Lite to version 2026.01 or later, which contains the fix. If upgrading is not immediately feasible, implement stricter access control measures to limit which users can edit posts. Thoroughly validate user input, especially when handling post attributes, to prevent attackers from manipulating internal identifiers. Consider implementing a WAF rule to block requests containing suspicious post_attributes payloads. Regularly review user permissions and ensure the principle of least privilege is enforced.
Update Chyrp Lite to version 2026.01 or later to mitigate the IDOR vulnerability. This update corrects the mass assignment issue that allows attackers to modify posts they do not own.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-35173 is an Insecure Direct Object Reference (IDOR) vulnerability in Chyrp Lite versions before 2026.01, allowing authenticated users to modify posts they don't own.
You are affected if you are using Chyrp Lite version 2026.01 or earlier and have users with post editing permissions.
Upgrade Chyrp Lite to version 2026.01 or later. Implement stricter access controls and validate user input as temporary mitigations.
Active exploitation is not currently confirmed, but the vulnerability's ease of exploitation warrants caution.
Refer to the Chyrp Lite project's official website or security advisories for the latest information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.