Description
SPIP before 4.4.9 allows Insecure Deserialization in the public area through the table_valeur filter and the DATA iterator, which accept serialized data. An attacker who can place malicious serialized content (a pre-condition requiring prior access or another vulnerability) can trigger arbitrary object instantiation and potentially achieve code execution. The use of serialized data in these components has been deprecated and will be removed in SPIP 5. This vulnerability is not mitigated by the SPIP security screen.
Published: 2026-02-19
Score: 9.2 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The flaw exists in SPIP versions older than 4.4.9, where the public area accepts serialized payloads through the table_valeur filter and the DATA iterator. This insecure deserialization can trigger arbitrary PHP object instantiation and, because the attacker can control the serialized content, result in code execution. The issue is aligned with CWE-502, Insecure Deserialization.

Affected Systems

SPIP, the content‑management system. All releases dated before SPIP 4.4.9 are vulnerable. No version granular detail is given beyond the pre‑4.4.9 cutoff. The advisory lists SPIP as the sole CNA vendor/product.

Risk and Exploitability

The vulnerability scores a CVSS 9.2, indicating high severity. The EPSS is below 1 %, suggesting exploitation is currently unlikely, and the issue is not listed in the CISA KEV catalog. However, an attacker must first place malicious serialized data, which typically requires some level of access to the public area or an additional vulnerability to write the payload. Once the payload is processed through the exposed filter or iterator, arbitrary object instantiation and code execution can be achieved. The public nature of the affected components lowers the barrier to interaction but still demands the payload injection pre‑condition.

Generated by OpenCVE AI on April 16, 2026 at 16:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the SPIP installation to version 4.4.9 or later, which removes support for serialized data in the vulnerable components.
  • If an upgrade cannot be performed immediately, configure the public area to disable the table_valeur filter and the DATA iterator or otherwise strip serialized data handling from these components.
  • Continuously monitor application logs for attempts to use the vulnerable filters and block any suspicious traffic, and restrict write access to the public area until the patch is applied.

Generated by OpenCVE AI on April 16, 2026 at 16:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6155-1 spip security update
History

Tue, 24 Feb 2026 19:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-502

Fri, 20 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 19 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Description SPIP before 4.4.9 allows Insecure Deserialization in the public area through the table_valeur filter and the DATA iterator, which accept serialized data. An attacker who can place malicious serialized content (a pre-condition requiring prior access or another vulnerability) can trigger arbitrary object instantiation and potentially achieve code execution. The use of serialized data in these components has been deprecated and will be removed in SPIP 5. This vulnerability is not mitigated by the SPIP security screen.
Title SPIP < 4.4.9 Insecure Deserialization
First Time appeared Spip
Spip spip
CPEs cpe:2.3:a:spip:spip:*:*:*:*:*:*:*:*
Vendors & Products Spip
Spip spip
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Spip Spip
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-05T01:31:19.222Z

Reserved: 2026-02-19T18:34:45.842Z

Link: CVE-2026-27475

cve-icon Vulnrichment

Updated: 2026-02-20T20:10:22.201Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-19T19:22:30.720

Modified: 2026-02-24T19:37:54.003

Link: CVE-2026-27475

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T17:00:09Z

Weaknesses