Platform
php
Component
chyrp-lite
Fixed in
2026.01
CVE-2026-35174 describes a critical Remote Code Execution (RCE) vulnerability discovered in Chyrp Lite, an ultra-lightweight blogging engine. This flaw allows attackers to leverage a path traversal vulnerability within the administration console to gain unauthorized access and potentially execute arbitrary code on the server. The vulnerability impacts versions 0.0.0 through 2026.00, and a fix is available in version 2026.01.
The path traversal vulnerability in Chyrp Lite allows an administrator or a user with 'Change Settings' permission to manipulate the uploads path. This manipulation grants the attacker the ability to download any file accessible to the webserver, including the config.json.php file which often contains database credentials. More critically, an attacker can overwrite critical system files, effectively achieving remote code execution. This represents a severe compromise, potentially leading to complete server takeover, data exfiltration, and further malicious activity. The ability to download configuration files containing database credentials significantly expands the attack surface, allowing for database compromise and subsequent data breaches.
CVE-2026-35174 was publicly disclosed on April 6, 2026. Currently, there is no indication of active exploitation campaigns targeting this vulnerability. No public proof-of-concept (PoC) code has been released as of the disclosure date. The vulnerability has not been added to the CISA KEV catalog. The CVSS score of 9.1 indicates a critical severity, suggesting a high potential for exploitation if left unaddressed.
Exploit Status
EPSS
0.46% (64% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-35174 is to immediately upgrade Chyrp Lite to version 2026.01 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider restricting access to the administration console to trusted users only. Implement strict file upload restrictions to prevent attackers from uploading malicious files. While not a complete solution, a Web Application Firewall (WAF) configured to block path traversal attempts (e.g., using filters for ../ sequences) can provide an additional layer of defense. After upgrading, verify the fix by attempting to access files outside the intended uploads directory via the administration console; access should be denied.
Update Chyrp Lite to version 2026.01 or later to fix the path traversal vulnerability. Verify and restrict user permissions to prevent unauthorized users from modifying the uploads path. Implement robust input validation to prevent uploads path manipulation.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-35174 is a critical Remote Code Execution vulnerability in Chyrp Lite, allowing attackers to execute arbitrary code via a path traversal flaw in the admin console.
You are affected if you are running Chyrp Lite versions 0.0.0 through 2026.00. Upgrade to 2026.01 or later to resolve the vulnerability.
Upgrade Chyrp Lite to version 2026.01 or later. If immediate upgrade is not possible, restrict admin console access and implement file upload restrictions.
As of the disclosure date, there is no evidence of active exploitation, but the critical severity warrants immediate attention and remediation.
Refer to the Chyrp Lite project's official website and security advisories for the latest information and updates regarding CVE-2026-35174.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.