CVE-2026-35174
Published April 6, 2026 · Updated April 7, 2026
What This Means
CVE-2026-35174 is a critical path traversal vulnerability in Chyrp Lite prior to version 2026.01. An attacker with administrative or Change Settings permissions can manipulate the uploads path, leading to unauthorized file downloads, including sensitive files such as config.json.php, and potential system file overwrites, enabling remote code execution. Upgrade to version 2026.01 or later to mitigate this risk.
Official Description+
Chyrp Lite is an ultra-lightweight blogging engine. Prior to 2026.01, a path traversal vulnerability exists in the administration console that allows an administrator or a user with Change Settings permission to change the uploads path to any folder. This vulnerability allows the user to download any file on the server, including config.json.php with database credentials and overwrite critical system files, leading to remote code execution. This vulnerability is fixed in 2026.01.
Recommended Actions
- Check if your systems use any of the affected products listed above.
- Apply vendor patches immediately if available.
- Monitor vendor advisories for updates and additional mitigations.
- Review logs for indicators of compromise related to CVE-2026-35174.