Description
The SPIP interface_traduction_objets plugin versions prior to 2.2.2 contain an authenticated SQL injection vulnerability in interface_traduction_objets_pipelines.php. When handling translation requests, the plugin reads the id_parent parameter from user-supplied input and concatenates it directly into a SQL WHERE clause in a call to sql_getfetsel() without input validation or parameterization. An authenticated attacker with editor-level privileges can inject crafted SQL expressions into the id_parent parameter to manipulate the backend query. Successful exploitation can result in disclosure or modification of database contents and may lead to denial of service depending on the database configuration and privileges.
Published: 2026-02-25
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection allowing data disclosure or modification
Action: Immediate Patch
AI Analysis

Impact

The SPIP interface_traduction_objets plugin contains an authenticated SQL injection flaw in its pipeline handling code. An editor‑level attacker can supply a crafted id_parent value that is directly concatenated into an SQL WHERE clause. This injection can exfiltrate sensitive data, alter database records, or potentially cause a denial of service depending on the underlying database configuration and user privileges. The weakness is an instance of CWE‑89, indicating unsanitized user input used in a database query.

Affected Systems

Any installation of SPIP that has the interface_traduction_objets plugin at a version earlier than 2.2.2 is vulnerable. The plugin is available for download from the SPIP website or via the SPIP package repository, and the vulnerability applies to all SPIP sites that have not upgraded the plugin to the patched 2.2.2 release. No other SPIP components are reported as affected.

Risk and Exploitability

The CVSS v3.1 score of 7.1 places the issue in the Medium severity range, while the EPSS score of less than 1% indicates a very low but non‑zero likelihood of exploitation in the wild. The vulnerability requires an authenticated user with editor privileges, limiting the threat to sites with ample editor accounts or compromised credentials. As the vulnerability is not listed in the CISA KEV catalog, no widespread active exploits are currently documented.

Generated by OpenCVE AI on April 16, 2026 at 16:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update interface_traduction_objets to version 2.2.2 or later
  • If an immediate update is not feasible, remove or disable the interface_traduction_objets plugin
  • Restrict editor permissions to trusted users or enforce strong authentication to prevent unauthorized manipulation of the id_parent parameter

Generated by OpenCVE AI on April 16, 2026 at 16:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Mar 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Spip spip
CPEs cpe:2.3:a:spip:spip:*:*:*:*:*:*:*:*
Vendors & Products Spip spip

Wed, 04 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 27 Feb 2026 20:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:spip:interface_traduction_objets:*:*:*:*:*:*:*:*

Thu, 26 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
References

Wed, 25 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 15:45:00 +0000

Type Values Removed Values Added
Description The SPIP interface_traduction_objets plugin versions prior to 4.3.3 contain an authenticated SQL injection vulnerability in interface_traduction_objets_pipelines.php. When handling translation requests, the plugin reads the id_parent parameter from user-supplied input and concatenates it directly into a SQL WHERE clause in a call to sql_getfetsel() without input validation or parameterization. An authenticated attacker with editor-level privileges can inject crafted SQL expressions into the id_parent parameter to manipulate the backend query. Successful exploitation can result in disclosure or modification of database contents and may lead to denial of service depending on the database configuration and privileges. The SPIP interface_traduction_objets plugin versions prior to 2.2.2 contain an authenticated SQL injection vulnerability in interface_traduction_objets_pipelines.php. When handling translation requests, the plugin reads the id_parent parameter from user-supplied input and concatenates it directly into a SQL WHERE clause in a call to sql_getfetsel() without input validation or parameterization. An authenticated attacker with editor-level privileges can inject crafted SQL expressions into the id_parent parameter to manipulate the backend query. Successful exploitation can result in disclosure or modification of database contents and may lead to denial of service depending on the database configuration and privileges.
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Spip
Spip interface Traduction Objets
Vendors & Products Spip
Spip interface Traduction Objets

Wed, 25 Feb 2026 04:15:00 +0000

Type Values Removed Values Added
Description The SPIP interface_traduction_objets plugin versions prior to 4.3.3 contain an authenticated SQL injection vulnerability in interface_traduction_objets_pipelines.php. When handling translation requests, the plugin reads the id_parent parameter from user-supplied input and concatenates it directly into a SQL WHERE clause in a call to sql_getfetsel() without input validation or parameterization. An authenticated attacker with editor-level privileges can inject crafted SQL expressions into the id_parent parameter to manipulate the backend query. Successful exploitation can result in disclosure or modification of database contents and may lead to denial of service depending on the database configuration and privileges.
Title SPIP interface_traduction_objets < 2.2.2 Authenticated SQL Injection
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Spip Interface Traduction Objets Spip
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-05T01:31:28.148Z

Reserved: 2026-02-23T21:38:48.842Z

Link: CVE-2026-27747

cve-icon Vulnrichment

Updated: 2026-02-25T15:50:43.894Z

cve-icon NVD

Status : Modified

Published: 2026-02-25T04:16:05.493

Modified: 2026-03-02T15:16:37.650

Link: CVE-2026-27747

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T16:30:15Z

Weaknesses