CVE-2026-35174: Chyrp Lite Path Traversal Vulnerability

CVE-2026-35174 Overview

CVE-2026-35174 is a critical path traversal vulnerability affecting Chyrp Lite, an ultra-lightweight blogging engine. Prior to version 2026.01, a flaw exists in the administration console that allows an administrator or a user with Change Settings permission to manipulate the uploads path configuration to point to arbitrary directories on the server. This vulnerability enables attackers to download sensitive files, including config.json.php containing database credentials, and overwrite critical system files, ultimately leading to remote code execution.

Critical Impact

Authenticated attackers with Change Settings permission can achieve arbitrary file read and write access, potentially compromising the entire server through remote code execution.

Affected Products

• Chyrp Lite versions prior to 2026.01

Discovery Timeline

• 2026-04-06 - CVE CVE-2026-35174 published to NVD
• 2026-04-07 - Last updated in NVD database

Technical Details for CVE-2026-35174

Vulnerability Analysis

This vulnerability falls under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as Path Traversal. The flaw resides in the administration console's settings functionality, which fails to properly validate or sanitize the uploads path parameter before accepting user-supplied values.

When an authenticated user with Change Settings permission modifies the uploads path, the application does not enforce sufficient restrictions to ensure the path remains within expected boundaries. This allows an attacker to specify paths using directory traversal sequences (such as ../) or absolute paths to access directories outside the intended upload folder.

The exploitation chain involves two primary attack scenarios: arbitrary file read and arbitrary file write. In the file read scenario, an attacker can configure the uploads path to point to sensitive directories, then use the application's file download functionality to retrieve critical files. The config.json.php file is a particularly valuable target as it contains database credentials and other sensitive configuration data.

The file write scenario is even more dangerous. By redirecting the uploads path to a web-accessible directory or a location containing executable code, an attacker can upload malicious files that will be executed by the web server, achieving remote code execution.

Root Cause

The root cause of this vulnerability is insufficient input validation in the uploads path configuration handler. The application fails to implement proper path canonicalization and validation to ensure the specified uploads directory remains within the application's designated storage area. The absence of allowlist-based directory restrictions and path normalization before storage allows malicious path values to persist in the application configuration.

Attack Vector

The attack vector is network-based and requires authenticated access with elevated privileges (Change Settings permission). An attacker must first obtain valid credentials for an account with Change Settings permission, either through credential theft, social engineering, or by exploiting another vulnerability. Once authenticated, the attacker navigates to the administration console's settings section and modifies the uploads path to a target directory such as /etc/ or the web root. The attacker can then use the application's file management features to read sensitive files or upload malicious content to achieve code execution.

The vulnerability mechanism works by exploiting the trust placed in the uploads path configuration value. When the application processes file operations, it uses this configured path without re-validating that it points to a safe location, enabling directory traversal attacks through configuration manipulation rather than through traditional path traversal in file operation parameters.

Detection Methods for CVE-2026-35174

Indicators of Compromise

• Unexpected changes to the uploads path setting in Chyrp Lite configuration
• Access logs showing requests to download sensitive files like config.json.php
• Unusual file uploads appearing in system directories outside the expected uploads folder
• Web server logs indicating access to newly created files in unexpected locations

Detection Strategies

• Monitor configuration file changes for modifications to upload path settings
• Implement file integrity monitoring on critical system files and configuration directories
• Review web application logs for suspicious file download or upload patterns
• Alert on any changes to administrative settings, particularly those affecting file storage paths

Monitoring Recommendations

• Enable verbose logging in Chyrp Lite to capture all administrative actions
• Deploy a Web Application Firewall (WAF) with rules to detect path traversal patterns
• Implement real-time monitoring for changes to the config.json.php file
• Set up alerting for any new executable files created in web-accessible directories

How to Mitigate CVE-2026-35174

Immediate Actions Required

• Upgrade Chyrp Lite to version 2026.01 or later immediately
• Review current uploads path configuration to ensure it points to the expected directory
• Audit user accounts with Change Settings permission and remove unnecessary access
• Check system logs for any signs of exploitation before patching

Patch Information

This vulnerability has been fixed in Chyrp Lite version 2026.01. The patch implements proper validation of the uploads path to prevent directory traversal attacks. Administrators should update to this version or later as soon as possible. For detailed information about the security fix, refer to the GitHub Security Advisory.

Workarounds

• Restrict Change Settings permission to only essential administrator accounts
• Implement filesystem-level restrictions to prevent the web server from accessing directories outside the application root
• Use operating system permissions to make sensitive files like config.json.php readable only by the web server process
• Consider placing the application behind an additional authentication layer to reduce exposure

# Example: Restrict file permissions on sensitive configuration
chmod 600 /path/to/chyrp-lite/includes/config.json.php
chown www-data:www-data /path/to/chyrp-lite/includes/config.json.php

# Example: Limit uploads directory access at the filesystem level
# Ensure uploads directory cannot traverse outside intended location
chattr +i /path/to/chyrp-lite/uploads/.htaccess