CVE-2026-35173

MEDIUM 6.5

Chyrp Lite has an IDOR via Mass Assignment in Post Model

CVSS Score

6.5

EPSS Score

0.0%

EPSS Percentile

0th

Chyrp Lite is an ultra-lightweight blogging engine. Prior to 2026.01, an IDOR / Mass Assignment issue exists in the Post model that allows authenticated users with post editing permissions (Edit Post, Edit Draft, Edit Own Post, Edit Own Draft) to modify posts they do not own and do not have permission to edit. By passing internal class properties such as id into the post_attributes payload, an attacker can alter the object being instantiated. As a result, further actions are performed on another user’s post rather than the attacker’s own post, effectively enabling post takeover. This vulnerability is fixed in 2026.01.

CWE	CWE-639 CWE-914
Vendor	xenocrat
Product	chyrp-lite
Published	Apr 6, 2026
Last Updated	Apr 6, 2026

Stay Ahead of the Next One

Get instant alerts for xenocrat chyrp-lite

Be the first to know when new medium vulnerabilities affecting xenocrat chyrp-lite are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Affected Versions

xenocrat / chyrp-lite

< 2026.01

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/xenocrat/chyrp-lite/security/advisories/GHSA-8c3h-rh2j-fxr9