DEBIAN-CVE-2026-48832

action/cookie.php in ecrire in SPIP before 4.4.15 is prone to an open redirect vulnerability...

EUVD-2026-31601

action/cookie.php in ecrire in SPIP before 4.4.15 is prone to an open redirect vulnerability...

CVE-2026-8429

SPIP versions prior to 4.4.14 contain a remote code execution vulnerability in the private space that allows attackers to execute arbitrary code in the context of the web server. Attackers can exploit this vulnerability to achieve code execution that bypasses the SPIP security screen protections...

CVE-2026-8430 SPIP < 4.4.14 Remote Code Execution via nginx

SPIP versions prior to 4.4.14 contain a remote code execution vulnerability in the public space that is limited to certain nginx configurations, allowing attackers to execute arbitrary code in the context of the web server. Attackers can exploit this vulnerability through specific nginx...

CVE-2026-33549

SPIP 4.4.10 through 4.4.12 before 4.4.13 allows unintended privilege assignment of administrator privileges during the editing of an author data structure because of STATUT mishandling...

PT-2026-26961

SPIP 4.4.10 through 4.4.12 before 4.4.13 allows unintended privilege assignment of administrator privileges during the editing of an author data structure because of STATUT mishandling...

SPIP SQL Injection Vulnerability

SPIP is SPIP open source a free software for creating Internet sites. A SQL injection vulnerability exists in versions of SPIP prior to 4.4.10. The vulnerability stems from the application's lack of validation of externally entered SQL statements, which can be exploited by an attacker to achieve...

CVE-2026-27744 SPIP tickets < 4.3.3 Unauthenticated RCE

The SPIP tickets plugin versions prior to 4.3.3 contain an unauthenticated remote code execution vulnerability in the forum preview handling for public ticket pages. The plugin appends untrusted request parameters into HTML that is later rendered by a template using unfiltered environment renderi...

CVE-2026-26223

SPIP before 4.4.8 allows cross-site scripting XSS in the private area via malicious iframe tags. The application does not properly sandbox or escape iframe content in the back-office, allowing an attacker to inject and execute malicious scripts. The fix adds a sandbox attribute to iframe tags in...

CVE-2026-27473

SPIP before 4.4.9 allows Stored Cross-Site Scripting XSS via syndicated sites in the private area. The URLSYNDIC output is not properly sanitized on the private syndicated site page, allowing an attacker who can set a malicious syndication URL to inject persistent scripts that execute when other...

CVE-2026-27472

SPIP before 4.4.9 allows Blind Server-Side Request Forgery SSRF via syndicated sites in the private area. When editing a syndicated site, the application does not verify that the syndication URL is a valid remote URL, allowing an authenticated attacker to make the server issue requests to arbitra...

UBUNTU-CVE-2026-27472

SPIP before 4.4.9 allows Blind Server-Side Request Forgery SSRF via syndicated sites in the private area. When editing a syndicated site, the application does not verify that the syndication URL is a valid remote URL, allowing an authenticated attacker to make the server issue requests to arbitra...

CVE-2026-27472

SPIP before 4.4.9 allows Blind Server-Side Request Forgery SSRF via syndicated sites in the private area. When editing a syndicated site, the application does not verify that the syndication URL is a valid remote URL, allowing an authenticated attacker to make the server issue requests to arbitra...

UBUNTU-CVE-2026-26345

SPIP before 4.4.8 contains a stored cross-site scripting XSS vulnerability in the public area triggered in certain edge-case usage patterns. The echapperhtmlsuspect function does not adequately sanitize user-controlled content, allowing authenticated users with content-editing privileges e.g.,...

CVE-2026-26223

SPIP before 4.4.8 allows cross-site scripting XSS in the private area via malicious iframe tags. The application does not properly sandbox or escape iframe content in the back-office, allowing an attacker to inject and execute malicious scripts. The fix adds a sandbox attribute to iframe tags in...

CVE-2026-26345

SPIP before 4.4.8 is affected by a Cross-Site Scripting (XSS) vulnerability in the public area. The echapper_html_suspect() function fails to detect certain malicious content, allowing script execution in a visitor’s browser. Remediation: upgrade to SPIP 4.4.8 (or later) to fix the issue; no expl...

CVE-2025-71243 SPIP Saisies Plugin < 5.11.1 Remote Code Execution

The 'Saisies pour formulaire' Saisies plugin for SPIP versions 5.4.0 through 5.11.0 contains a critical Remote Code Execution RCE vulnerability. An attacker can exploit this vulnerability to execute arbitrary code on the server. Users should immediately update to version 5.11.1 or later...

PT-2026-20846

Name of the Vulnerable Software and Affected Versions SPIP versions prior to 4.4.9 Description SPIP versions before 4.4.9 contain a Stored Cross-Site Scripting XSS issue related to syndicated sites within the private area. The URL SYNDIC output is not sufficiently sanitized when displaying detail...

SPIP 安全漏洞

SPIP is an open-source software developed by SPIP for creating Internet websites. Versions of SPIP prior to 4.4.8 contained a security vulnerability caused by insufficient cleanup of the echapperhtmlsuspect function, which could lead to stored-xss attacks...

PT-2026-20839

Name of the Vulnerable Software and Affected Versions SPIP versions prior to 4.3.6 SPIP versions prior to 4.2.17 SPIP versions prior to 4.1.20 Description SPIP versions prior to 4.3.6, 4.2.17, and 4.1.20 contain a Cross-Site Scripting XSS issue within the private area. The error message displayed...