CVE-2026-35174
Received Received - Intake
Path Traversal in Chyrp Lite Admin Enables Remote Code Execution

Publication date: 2026-04-06

Last updated on: 2026-04-14

Assigner: GitHub, Inc.

Description
Chyrp Lite is an ultra-lightweight blogging engine. Prior to 2026.01, a path traversal vulnerability exists in the administration console that allows an administrator or a user with Change Settings permission to change the uploads path to any folder. This vulnerability allows the user to download any file on the server, including config.json.php with database credentials and overwrite critical system files, leading to remote code execution. This vulnerability is fixed in 2026.01.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-06
Last Modified
2026-04-14
Generated
2026-06-16
AI Q&A
2026-04-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-35174
EUVD
EUVD-2026-19422
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
chyrplite chyrp_lite to 2026.01 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-35174 is a critical path traversal vulnerability in the Chyrp Lite blogging engine prior to version 2026.01. It allows an authenticated administrator or a user with Change Settings permission to manipulate the uploads path in the administration console to point to any folder on the server.

The vulnerability exists because the AdminController does not properly filter directory traversal sequences, allowing attackers to bypass restrictions and set the uploads directory to arbitrary locations, including sensitive system directories.

Exploitation enables attackers to download any file on the server, such as configuration files containing database credentials, and to overwrite critical system files by replacing executable PHP files with malicious code, leading to remote code execution.

Impact Analysis

This vulnerability can have severe impacts including disclosure of sensitive information, such as database passwords, by allowing arbitrary file downloads.

It also allows remote code execution by overwriting executable PHP files with malicious code, which can lead to full system compromise.

Additionally, attackers can cause denial of service by corrupting critical system files, affecting the availability and integrity of the system.

Detection Guidance

This vulnerability can be detected by checking if the uploads path in the Chyrp Lite administration console can be set to arbitrary or sensitive directories using path traversal sequences.

Specifically, you can test if the uploads path accepts directory traversal patterns such as '../' or evasion patterns like '/...../' which resolve to '../'.

Commands or steps to detect the vulnerability include:

  • Attempt to change the uploads path in the admin console to an absolute root path such as '/' and verify if it is accepted.
  • Try setting the uploads path to sensitive directories like '/includes/' or '/tmp/' using traversal sequences.
  • Use the download.php script to attempt downloading sensitive files (e.g., config.json.php) from the uploads path.
  • Check if the admin_update_upload() action allows overwriting files in these directories.
Mitigation Strategies

The immediate mitigation step is to upgrade Chyrp Lite to version 2026.01 or later, where this vulnerability is fixed.

The patch disallows backtracking using '../' path components and prevents setting unsafe directories as the uploads path.

Until the upgrade can be applied, restrict access to the administration console to trusted users only, especially those with Change Settings permission.

Additionally, monitor and audit changes to the uploads path and any file uploads or downloads to detect suspicious activity.

Compliance Impact

This vulnerability allows an authenticated user to download sensitive files such as configuration files containing database credentials and to overwrite critical system files, leading to remote code execution. Such unauthorized access and manipulation of sensitive data can result in breaches of confidentiality, integrity, and availability.

Because of the potential disclosure of sensitive information and unauthorized system control, this vulnerability could lead to non-compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and modification.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35174. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart