CVE-2026-35174

Chyrp Lite has a Path Traversal to Remote Code Execution

CVSS 9.1 CRITICALEPSS 0.6%CWE-22 CWE-434 CWE-73

Vexday Risk Score

28Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 9.1EPSS 0.6%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

06 Apr 2026Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Chyrp Lite is an ultra-lightweight blogging engine. Prior to 2026.01, a path traversal vulnerability exists in the administration console that allows an administrator or a user with Change Settings permission to change the uploads path to any folder. This vulnerability allows the user to download any file on the server, including config.json.php with database credentials and overwrite critical system files, leading to remote code execution. This vulnerability is fixed in 2026.01.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Affected products

xenocrat · chyrp-lite

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/xenocrat/chyrp-lite/security/advisories/GHSA-p6pf-2grm-8257