Description
SPIP versions prior to 4.4.10 contain a SQL injection vulnerability that allows authenticated low-privilege users to execute arbitrary SQL queries by manipulating union-based injection techniques. Attackers can exploit this SQL injection flaw combined with PHP tag processing to achieve remote code execution on the server.
Published: 2026-02-26
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Immediately
AI Analysis

Impact

The vulnerability is a classic SQL injection flaw (CWE‑89) that allows authenticated low‑privilege users to craft union‑based queries and, by leveraging PHP tag processing, to execute arbitrary code on the server. Attackers can remotely inject SQL, ultimately forcing the web application to evaluate PHP code that they supply. If exploited successfully, the attacker gains full control over the web server, enabling data theft, defacement, or further compromise. The flaw exists in SPIP prior to version 4.4.10 and does not affect newer releases.

Affected Systems

Vendors: SPIP. Product: SPIP CMS. Affected releases are all versions before 4.4.10. Any installation of SPIP that has not been upgraded beyond this release is vulnerable.

Risk and Exploitability

The CVSS score of 8.7 indicates a high‑severity vulnerability. EPSS is less than 1 %, implying that exploitation is currently rare, and it is not listed in CISA’s KEV catalog. The attack requires an authenticated low‑privilege user; once inside the application, the attacker can manipulate the query “union” string and trigger PHP tag parsing to achieve remote code execution. Because the vector is web‑based, any publicly exposed SPIP instance that allows user registration or content editing could be targeted, provided the user has editor rights.

Generated by OpenCVE AI on April 16, 2026 at 16:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to SPIP 4.4.10 or later, where the injection vector has been removed.
  • Reduce privileged access: disable or restrict editor roles that can create or edit content containing PHP tags; ensure no low‑privilege users can submit arbitrary HTML or XML that might be processed.
  • As a temporary measure, configure the SPIP installation to strip or block PHP tags from user‑supplied content, or adjust the database query code to use parameterized statements (e.g., via PDO or prepared statements) to eliminate the injection possibility.
  • Monitor application logs for unusual SQL or PHP execution patterns and review user activity for signs of exploitation.

Generated by OpenCVE AI on April 16, 2026 at 16:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6155-1 spip security update
History

Thu, 05 Mar 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Spip saisies
CPEs cpe:2.3:a:spip:saisies:*:*:*:*:*:spip:*:*
Vendors & Products Spip saisies

Mon, 02 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:spip:spip:*:*:*:*:*:*:*:*

Fri, 27 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Spip
Spip spip
Vendors & Products Spip
Spip spip

Thu, 26 Feb 2026 21:00:00 +0000

Type Values Removed Values Added
Description SPIP versions prior to 4.4.10 contain a SQL injection vulnerability that allows authenticated low-privilege users to execute arbitrary SQL queries by manipulating union-based injection techniques. Attackers can exploit this SQL injection flaw combined with PHP tag processing to achieve remote code execution on the server.
Title SPIP < 4.4.10 SQL Injection RCE via Union & PHP Tags
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Spip Saisies Spip
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-05T01:30:18.401Z

Reserved: 2026-01-06T16:47:17.186Z

Link: CVE-2026-22206

cve-icon Vulnrichment

Updated: 2026-02-27T20:08:42.546Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T21:28:52.397

Modified: 2026-03-02T15:58:07.000

Link: CVE-2026-22206

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T16:15:08Z

Weaknesses