Chyrp Lite is vulnerable to a critical path traversal flaw that allows authenticated users to overwrite system files and execute arbitrary code on the server.

The administration console contains a path traversal vulnerability that permits users with 'Change Settings' permissions to modify the uploads path. This can be abused to read sensitive files, such as config.json.php, to extract database credentials, or to overwrite system files to achieve remote code execution.

Given the CVSS score of 9.1, this vulnerability is critical. An attacker with minimal administrative access can escalate their privileges to full system compromise, resulting in complete data exposure and loss of control over the blogging engine.

Immediate Action: Update Chyrp Lite to version 2026.01 or later immediately.

Proactive Monitoring: Review file integrity logs for unauthorized modifications to core system files and monitor access logs for attempts to traverse directories in the configuration path.

Compensating Controls: Restrict administrative access to the blogging engine to trusted internal IP addresses and enforce the principle of least privilege for all user accounts.

Public Exploit Available: false

All administrators of Chyrp Lite must upgrade to the latest version immediately. The ability to achieve remote code execution via this flaw makes it a primary target for attackers, and rapid patching is necessary to maintain system security.