Path Traversal Vulnerability in Chyrp Lite Blogging Engine
CVE-2026-35174

9.1CRITICAL

Key Information:

Vendor: Xen Projectocrat
Status: Chyrp-lite
Vendor: CVE Published:; 6 April 2026

🔔 Create Xen Projectocrat Vulnerability Alert

What is CVE-2026-35174?

Chyrp Lite, an ultra-lightweight blogging engine, contains a path traversal vulnerability in its administration console, allowing users with the 'Change Settings' permission to alter the uploads path to any directory on the server. This serious flaw enables unauthorized access to server files, potentially leading to the exposure of sensitive information such as database credentials stored in 'config.json.php', and may allow the malicious overwriting of critical system files, resulting in remote code execution. The issue has been addressed in version 2026.01.

Affected Version(s)

chyrp-lite < 2026.01

References

https://github.com/xenocrat/chyrp-lite/security/advisorie...

x_refsource_CONFIRM

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 6, 2026
Vulnerability Reserved
Apr 1, 2026

CVE-2026-35174 Data

JSON