Description
The SPIP interface_traduction_objets plugin versions prior to 2.2.2 contain an authenticated remote code execution vulnerability in the translation interface workflow. The plugin incorporates untrusted request data into a hidden form field that is rendered without SPIP output filtering. Because fields prefixed with an underscore bypass protection mechanisms and the hidden content is rendered with filtering disabled, an authenticated attacker with editor-level privileges can inject crafted content that is evaluated through SPIP's template processing chain, resulting in execution of code in the context of the web server.
Published: 2026-02-25
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The interface_traduction_objets plugin injects untrusted request data into a hidden form field that is rendered without SPIP output filtering. Because fields prefixed with an underscore bypass protection mechanisms, the hidden content is rendered with filtering disabled, allowing an authenticated attacker with editor-level privileges to inject crafted content that is evaluated by SPIP’s template processing chain. This results in execution of arbitrary code within the web server context, giving the attacker full control over the affected system.

Affected Systems

Sites running the SPIP interface_traduction_objets plugin with a version earlier than 2.2.2 are vulnerable. Any system that has this plugin installed—regardless of the SPIP core version—must be examined, because the flaw is present in the plugin itself and requires authenticated access by a user with editor or higher privileges to exploit.

Risk and Exploitability

The CVSS base score of 8.7 classifies this as high severity, though the EPSS probability is under 1% indicating a low observed exploitation rate to date. The vulnerability is not listed in the KEV catalog, but its impact is severe. Exploitation requires the attacker to authenticate and possess editor-level rights; once logged in, the attacker can craft a translation form submission that triggers the injection. Given the ease of exploitation for authorized users, administrators should treat this as an urgent risk.

Generated by OpenCVE AI on April 16, 2026 at 16:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the interface_traduction_objets plugin to version 2.2.2 or later; the patch removes the unsanitized hidden field".
  • Ensure the SPIP core installation is upgraded to at least 4.4.10, as the vendor’s security advisory recommends updating both the core and the plugin to close all related code‑execution paths.
  • If an immediate upgrade is not possible, disable or uninstall the interface_traduction_objets plugin until a patched version becomes available.

Generated by OpenCVE AI on April 16, 2026 at 16:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Mar 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Spip spip
CPEs cpe:2.3:a:spip:spip:*:*:*:*:*:*:*:*
Vendors & Products Spip spip

Wed, 04 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 20:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:spip:interface_traduction_objets:*:*:*:*:*:*:*:*

Fri, 27 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
References

Wed, 25 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description The SPIP interface_traduction_objets plugin versions prior to 4.3.3 contain an authenticated remote code execution vulnerability in the translation interface workflow. The plugin incorporates untrusted request data into a hidden form field that is rendered without SPIP output filtering. Because fields prefixed with an underscore bypass protection mechanisms and the hidden content is rendered with filtering disabled, an authenticated attacker with editor-level privileges can inject crafted content that is evaluated through SPIP's template processing chain, resulting in execution of code in the context of the web server. The SPIP interface_traduction_objets plugin versions prior to 2.2.2 contain an authenticated remote code execution vulnerability in the translation interface workflow. The plugin incorporates untrusted request data into a hidden form field that is rendered without SPIP output filtering. Because fields prefixed with an underscore bypass protection mechanisms and the hidden content is rendered with filtering disabled, an authenticated attacker with editor-level privileges can inject crafted content that is evaluated through SPIP's template processing chain, resulting in execution of code in the context of the web server.
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Spip
Spip interface Traduction Objets
Vendors & Products Spip
Spip interface Traduction Objets

Wed, 25 Feb 2026 04:15:00 +0000

Type Values Removed Values Added
Description The SPIP interface_traduction_objets plugin versions prior to 4.3.3 contain an authenticated remote code execution vulnerability in the translation interface workflow. The plugin incorporates untrusted request data into a hidden form field that is rendered without SPIP output filtering. Because fields prefixed with an underscore bypass protection mechanisms and the hidden content is rendered with filtering disabled, an authenticated attacker with editor-level privileges can inject crafted content that is evaluated through SPIP's template processing chain, resulting in execution of code in the context of the web server.
Title SPIP interface_traduction_objets < 2.2.2 Authenticated RCE
Weaknesses CWE-94
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Spip Interface Traduction Objets Spip
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-05T01:31:26.519Z

Reserved: 2026-02-23T21:38:48.842Z

Link: CVE-2026-27745

cve-icon Vulnrichment

Updated: 2026-02-25T15:36:54.176Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T04:16:05.140

Modified: 2026-02-27T20:40:35.660

Link: CVE-2026-27745

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T16:30:15Z

Weaknesses