CVE-2026-27475

SPIP before 4.4.9 allows Insecure Deserialization in the public area through the table_valeur filter and the DATA iterator, which accept serialized data. An attacker who can place malicious serialized content (a pre-condition requiring prior access or another vulnerability) can trigger arbitrary object instantiation and potentially achieve code execution. The use of serialized data in these components has been deprecated and will be removed in SPIP 5. This vulnerability is not mitigated by the SPIP security screen.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-9.html	Vendor Advisory Release Notes
https://git.spip.net/spip/spip	Product
https://www.vulncheck.com/advisories/spip-insecure-deserialization	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:spip:spip:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-19 19:22

Updated : 2026-02-24 19:37

NVD link : CVE-2026-27475

Mitre link : CVE-2026-27475

CVE.ORG link : CVE-2026-27475

JSON object : View

Products Affected

spip

spip

CWE

CWE-502

Deserialization of Untrusted Data

{"id": "CVE-2026-27475", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "disclosure@vulncheck.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.2}], "cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.2, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-19T19:22:30.720", "references": [{"url": "https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-9.html", "tags": ["Vendor Advisory", "Release Notes"], "source": "disclosure@vulncheck.com"}, {"url": "https://git.spip.net/spip/spip", "tags": ["Product"], "source": "disclosure@vulncheck.com"}, {"url": "https://www.vulncheck.com/advisories/spip-insecure-deserialization", "tags": ["Third Party Advisory"], "source": "disclosure@vulncheck.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-502"}]}], "descriptions": [{"lang": "en", "value": "SPIP before 4.4.9 allows Insecure Deserialization in the public area through the table_valeur filter and the DATA iterator, which accept serialized data. An attacker who can place malicious serialized content (a pre-condition requiring prior access or another vulnerability) can trigger arbitrary object instantiation and potentially achieve code execution. The use of serialized data in these components has been deprecated and will be removed in SPIP 5. This vulnerability is not mitigated by the SPIP security screen."}, {"lang": "es", "value": "SPIP anterior a 4.4.9 permite la deserializaci\u00f3n insegura en el \u00e1rea p\u00fablica a trav\u00e9s del filtro table_valeur y el iterador DATA, que aceptan datos serializados. Un atacante que puede colocar contenido serializado malicioso (una precondici\u00f3n que requiere acceso previo u otra vulnerabilidad) puede desencadenar la instanciaci\u00f3n arbitraria de objetos y potencialmente lograr la ejecuci\u00f3n de c\u00f3digo. El uso de datos serializados en estos componentes ha sido desaprobado y ser\u00e1 eliminado en SPIP 5. Esta vulnerabilidad no es mitigada por la pantalla de seguridad de SPIP."}], "lastModified": "2026-02-24T19:37:54.003", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:spip:spip:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1590B61F-3E4B-4634-849E-E46C8BD6AA93", "versionEndExcluding": "4.4.9", "versionStartIncluding": "4.4.0"}], "operator": "OR"}]}], "sourceIdentifier": "disclosure@vulncheck.com"}