CVE-2026-27475
Insecure Deserialization in SPIP Public Area Enables Code Execution
Publication date: 2026-02-19
Last updated on: 2026-02-24
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| spip | spip | From 4.4.0 (inc) to 4.4.9 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects SPIP versions before 4.4.9 and involves insecure deserialization in the public area through the table_valeur filter and the DATA iterator, which accept serialized data.
An attacker who can place malicious serialized content (which requires prior access or another vulnerability) can trigger arbitrary object instantiation, potentially leading to code execution.
The use of serialized data in these components has been deprecated and will be removed in SPIP 5.
This vulnerability is not mitigated by the SPIP security screen.
How can this vulnerability impact me? :
If exploited, this vulnerability can allow an attacker to execute arbitrary code on the affected system.
This can lead to full compromise of the system running SPIP, including unauthorized access, data theft, or further attacks.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
I don't know