CVE•Published 2026-04-06•Modified 2026-04-14•0 articles on news•5 live references•NVD data

CVE-2026-35173Chyrplite · Chyrp_lite

Vulnerability data via NVD (ingested)

CVSS v3.1

6.5

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

EPSS percentile

—

Weaknesses (CWE)

CWE-639Authorization Bypass Through User-Controlled Key CWE-914Improper Control of Dynamically-Identified Variables

Description

Chyrp Lite is an ultra-lightweight blogging engine. Prior to 2026.01, an IDOR / Mass Assignment issue exists in the Post model that allows authenticated users with post editing permissions (Edit Post, Edit Draft, Edit Own Post, Edit Own Draft) to modify posts they do not own and do not have permission to edit. By passing internal class properties such as id into the post_attributes payload, an attacker can alter the object being instantiated. As a result, further actions are performed on another user’s post rather than the attacker’s own post, effectively enabling post takeover. This vulnerability is fixed in 2026.01.

Timeline

Published 2026-04-06

Modified 2026-04-14

External references

NVD MITRE Exploit-DB Sploitus VulnCheck

Search for exposed instances

Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).

Shodan · vuln tag0 hosts

vuln:CVE-2026-35173

Hosts Shodan has explicitly fingerprinted as vulnerable.

Shodan · product

product:"Chyrplite Chyrp Lite"

All exposed Chyrplite Chyrp Lite instances — cross-reference with the CVE's affected-version range.

Shodan · banner/body mention

http.html:"Chyrp Lite"

HTTP body or banner mentions "Chyrp Lite" — catches deploys Shodan didn't identify as a product.

More intel sources (5)

Shodan report

vuln:CVE-2026-35173