Description
SPIP versions prior to 4.4.14 contain a remote code execution vulnerability in the private space that allows attackers to execute arbitrary code in the context of the web server. Attackers can exploit this vulnerability to achieve code execution that bypasses the SPIP security screen protections.
Published: 2026-05-12
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a remote code execution flaw in the private space of SPIP versions prior to 4.4.14. By sending specially crafted input, an attacker can run arbitrary code on the web server, bypassing the SPIP security screen protections. This is a code injection weakness (CWE‑94) that allows an attacker to compromise confidentiality, integrity, and availability of the affected system.

Affected Systems

The flaw affects the SPIP content management system and its private space feature. All SPIP installations with versions earlier than 4.4.14 are vulnerable. No specific patch versions are listed in the data, so any version below 4.4.14 should be considered at risk.

Risk and Exploitability

The CVSS score of 8.7 places the vulnerability in the High severity range, indicating that exploitation can result in full control over the affected server. EPSS data is not available, so the current exploitation probability is unknown, though the lack of KEV listing suggests no publicly known exploit yet. Attackers can likely reach the vulnerable code remotely via the private space interface, assuming the site is accessible and the attack requires no user interaction. The high severity and the potential for complete system takeover make this a critical risk for organizations running SPIP without a recent update.

Generated by OpenCVE AI on May 12, 2026 at 21:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SPIP to version 4.4.14 or later, which removes the remote code execution vulnerability.
  • If an upgrade is not immediately possible, disable or limit access to the private space for all users and restrict remote input to trusted administrators only.
  • Monitor web server logs for abnormal code execution patterns or unexpected user input involving the private space and enforce strict input validation.
  • Regularly check the SPIP security advisories page and apply any subsequent patches as they become available.

Generated by OpenCVE AI on May 12, 2026 at 21:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6296-1 spip security update
History

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 13 May 2026 00:45:00 +0000

Type Values Removed Values Added
First Time appeared Spip
Spip spip
Vendors & Products Spip
Spip spip

Tue, 12 May 2026 20:15:00 +0000

Type Values Removed Values Added
Title SPIP Prior to 4.4.14 Remote Code Execution via Private Space SPIP < 4.4.14 Remote Code Execution via Private Space

Tue, 12 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description SPIP versions prior to 4.4.14 contain a remote code execution vulnerability in the private space that allows attackers to execute arbitrary code in the context of the web server. Attackers can exploit this vulnerability to achieve code execution that bypasses the SPIP security screen protections.
Title SPIP Prior to 4.4.14 Remote Code Execution via Private Space
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Spip Spip
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-14T17:04:36.767Z

Reserved: 2026-05-12T18:07:12.595Z

Link: CVE-2026-8429

cve-icon Vulnrichment

Updated: 2026-05-13T14:15:12.498Z

cve-icon NVD

Status : Deferred

Published: 2026-05-12T19:16:34.553

Modified: 2026-05-13T15:26:44.333

Link: CVE-2026-8429

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T00:30:28Z

Weaknesses