CVE-2026-35174
Path Traversal in Chyrp Lite Admin Enables Remote Code Execution
Publication date: 2026-04-06
Last updated on: 2026-04-14
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| chyrplite | chyrp_lite | to 2026.01 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
| CWE-73 | The product allows user input to control or influence paths or file names that are used in filesystem operations. |
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-35174 is a critical path traversal vulnerability in the Chyrp Lite blogging engine prior to version 2026.01. It allows an authenticated administrator or a user with Change Settings permission to manipulate the uploads path in the administration console to point to any folder on the server.
The vulnerability exists because the AdminController does not properly filter directory traversal sequences, allowing attackers to bypass restrictions and set the uploads directory to arbitrary locations, including sensitive system directories.
Exploitation enables attackers to download any file on the server, such as configuration files containing database credentials, and to overwrite critical system files by replacing executable PHP files with malicious code, leading to remote code execution.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including disclosure of sensitive information, such as database passwords, by allowing arbitrary file downloads.
It also allows remote code execution by overwriting executable PHP files with malicious code, which can lead to full system compromise.
Additionally, attackers can cause denial of service by corrupting critical system files, affecting the availability and integrity of the system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the uploads path in the Chyrp Lite administration console can be set to arbitrary or sensitive directories using path traversal sequences.
Specifically, you can test if the uploads path accepts directory traversal patterns such as '../' or evasion patterns like '/...../' which resolve to '../'.
Commands or steps to detect the vulnerability include:
- Attempt to change the uploads path in the admin console to an absolute root path such as '/' and verify if it is accepted.
- Try setting the uploads path to sensitive directories like '/includes/' or '/tmp/' using traversal sequences.
- Use the download.php script to attempt downloading sensitive files (e.g., config.json.php) from the uploads path.
- Check if the admin_update_upload() action allows overwriting files in these directories.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Chyrp Lite to version 2026.01 or later, where this vulnerability is fixed.
The patch disallows backtracking using '../' path components and prevents setting unsafe directories as the uploads path.
Until the upgrade can be applied, restrict access to the administration console to trusted users only, especially those with Change Settings permission.
Additionally, monitor and audit changes to the uploads path and any file uploads or downloads to detect suspicious activity.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an authenticated user to download sensitive files such as configuration files containing database credentials and to overwrite critical system files, leading to remote code execution. Such unauthorized access and manipulation of sensitive data can result in breaches of confidentiality, integrity, and availability.
Because of the potential disclosure of sensitive information and unauthorized system control, this vulnerability could lead to non-compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and modification.