{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-35174/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.1,"id":"CVE-2026-35174"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Chyrp Lite"],"_cs_severities":["critical"],"_cs_tags":["chyrp-lite","path-traversal","rce","cve-2026-35174"],"_cs_type":"advisory","_cs_vendors":["Chyrp"],"content_html":"\u003cp\u003eChyrp Lite, an ultra-lightweight blogging engine, is vulnerable to a path traversal attack in versions prior to 2026.01. This vulnerability exists within the administration console, specifically affecting the handling of upload paths. An authenticated administrator, or a user with the 'Change Settings' permission, can manipulate the application to modify the designated uploads path to any directory on the server. This manipulation allows for the potential download of sensitive files, such as \u003ccode\u003econfig.json.php\u003c/code\u003e, which contains database credentials. Furthermore, it enables the overwriting of critical system files. Successful exploitation of this vulnerability leads to remote code execution, making it a critical risk for organizations utilizing affected versions of Chyrp Lite. Update to version 2026.01 or later to remediate this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the Chyrp Lite administration console, either as an administrator or as a user with 'Change Settings' permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the settings page within the administration console.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the uploads path setting, using path traversal techniques (e.g., \u0026quot;../\u0026quot;) to point to an arbitrary directory on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the modified uploads path to download sensitive files, such as \u003ccode\u003econfig.json.php\u003c/code\u003e, which contains database credentials. This can be achieved by uploading a file to the manipulated path, and then accessing it via a crafted URL, or by directly requesting the file if webserver access is permitted for that directory.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to the database credentials stored in \u003ccode\u003econfig.json.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised database credentials to gain further access to the Chyrp Lite system.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the file upload functionality, combined with the path traversal vulnerability, to overwrite critical system files with malicious code (e.g., PHP webshell).\u003c/li\u003e\n\u003cli\u003eThe attacker executes the malicious code via a web request, achieving remote code execution on the server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-35174 allows an attacker to gain complete control of the Chyrp Lite server. This can lead to data breaches involving sensitive information stored in the database, defacement of the blog, or the server being used as a platform for further malicious activities. The CVSS v3.1 base score for this vulnerability is 9.1, indicating its critical severity. The number of potential victims depends on the number of organizations using vulnerable versions of Chyrp Lite, which is an ultra-lightweight blogging engine, suggesting a smaller installation base than larger CMS platforms.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade Chyrp Lite to version 2026.01 or later to patch CVE-2026-35174.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests containing path traversal sequences (e.g., \u0026quot;../\u0026quot;) targeting the Chyrp Lite installation directory to detect exploitation attempts. Deploy the provided Sigma rule \u003ccode\u003eDetect Chyrp Lite Path Traversal Attempts\u003c/code\u003e to your SIEM.\u003c/li\u003e\n\u003cli\u003eImplement strict access control policies on the Chyrp Lite server, limiting the number of users with 'Change Settings' permissions.\u003c/li\u003e\n\u003cli\u003eReview the configuration of your Chyrp Lite installation to ensure proper file permissions and restrict web server access to sensitive files such as \u003ccode\u003econfig.json.php\u003c/code\u003e. Deploy the provided Sigma rule \u003ccode\u003eDetect Access to Sensitive Chyrp Lite Configuration File\u003c/code\u003e to your SIEM.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-23T12:00:00Z","date_published":"2024-01-23T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-chyrp-lite-path-traversal/","summary":"A path traversal vulnerability in Chyrp Lite blogging engine prior to version 2026.01 allows an administrator or a user with Change Settings permission to download arbitrary files, including configuration files containing database credentials, and overwrite critical system files, leading to remote code execution.","title":"Chyrp Lite Path Traversal Vulnerability Leads to Remote Code Execution","url":"https://feed.craftedsignal.io/briefs/2024-01-chyrp-lite-path-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed - Cve-2026-35174","version":"https://jsonfeed.org/version/1.1"}