The vulnerability in SPIP versions prior to 4.4.9 permits an attacker who is logged in to edit a syndicated site and use an arbitrary URL. Without validation, the application forwards the request to the specified destination, giving the attacker the ability to exfiltrate data, probe internal services, or reach out to external hosts under the server's network context. The impact is an indirect data disclosure or network reconnaissance capability limited by the privileges of the authenticated user and the reachability of the target from the server.

All installations of SPIP version 4.4.8 or older configured with syndication functionality are affected. The specific product name is SPIP, and the affected versions include any release prior to 4.4.9. No other SPIP versions or products are impacted, and no additional vendor or product information is listed in the CNA data.

A CVSS score of 5.3 indicates moderate severity, and an EPSS of less than 1% suggests that exploitation is predicted to be very unlikely at this time. The vulnerability is not included in the CISA KEV list. The attack requires an authenticated account with permission to edit syndicated sites, a capability typically reserved for site administrators or power users. Because the SSRF request originates from the server, the attacker can reach any resource accessible to that server, giving potential for internal network discovery or data exfiltration.