CVE-2026-35174 — CRITICAL (9.1)

Q: How severe is CVE-2026-35174?

CVE-2026-35174 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2026-35174?

Check the references section above for vendor advisories and patch information. Affected products include: Chyrplite Chyrp Lite.

Vulnerability Description

Chyrp Lite is an ultra-lightweight blogging engine. Prior to 2026.01, a path traversal vulnerability exists in the administration console that allows an administrator or a user with Change Settings permission to change the uploads path to any folder. This vulnerability allows the user to download any file on the server, including config.json.php with database credentials and overwrite critical system files, leading to remote code execution. This vulnerability is fixed in 2026.01.

CVSS Score

9.1

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Chyrplite	Chyrp Lite	< 2026.01

Related Weaknesses (CWE)

CWE-22 CWE-73 CWE-434

References

https://github.com/xenocrat/chyrp-lite/security/advisories/GHSA-p6pf-2grm-8257Vendor Advisory

FAQ

What is CVE-2026-35174?

CVE-2026-35174 is a vulnerability with a CVSS score of 9.1 (CRITICAL). Chyrp Lite is an ultra-lightweight blogging engine. Prior to 2026.01, a path traversal vulnerability exists in the administration console that allows an administrator or a user with Change Settings pe...

How severe is CVE-2026-35174?

CVE-2026-35174 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2026-35174?

Check the references section above for vendor advisories and patch information. Affected products include: Chyrplite Chyrp Lite.