Whoamins

Name of the Vulnerable Software and Affected Versions Chyrp Lite versions prior to 2026.01 Description Chyrp Lite, an ultra-lightweight blogging engine, contains an IDOR / Mass Assignment issue in the Post model. Authenticated users with post editing permissions (Edit Post, Edit Draft, Edit Own Post, Edit Own Draft) can modify posts they do not own or have permission to edit. By manipulating internal class properties like `id` within the `post attributes` payload, an attacker can alter the object being instantiated, leading to post takeover by performing actions on another user’s post. Recommendations Update to version 2026.01 or later.

Name of the Vulnerable Software and Affected Versions Chyrp Lite versions prior to 2026.01 Description Chyrp Lite, an ultra-lightweight blogging engine, contains a path traversal vulnerability in the administration console. This allows an administrator or a user with Change Settings permission to modify the uploads path to any folder on the server. Successful exploitation enables downloading sensitive files, such as `config.json.php` containing database credentials, and overwriting critical system files, potentially leading to remote code execution. Recommendations Versions prior to 2026.01 should be updated to version 2026.01.