Description
SPIP versions prior to 4.4.14 contain a remote code execution vulnerability in the public space that is limited to certain nginx configurations, allowing attackers to execute arbitrary code in the context of the web server. Attackers can exploit this vulnerability through specific nginx configuration scenarios to achieve code execution, and this issue is not mitigated by the SPIP security screen.
Published: 2026-05-12
Score: 9.2 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

SPIP versions before 4.4.14 are vulnerable to remote code execution in the public area when deployed with specific nginx configurations. An attacker who can craft requests that reach the vulnerable path can run arbitrary code with the privileges of the web server process. This flaw is a code injection issue (CWE-94) where the application fails to sanitize input that ends up executed by the web server.

Affected Systems

All SPIP installations older than 4.4.14 that are accessed through nginx and use the configurations known to trigger the flaw. The vulnerability is specific to nginx setups where certain directives allow user input to reach the web server’s execution context. No other products are mentioned as affected, and no detailed version list is provided beyond the version threshold.

Risk and Exploitability

With a CVSS score of 9.2, the vulnerability is considered highly severe. The EPSS score is not available, and the flaw is not listed in CISA’s KEV catalogue, suggesting that it may not yet be widely exploited, yet the potential impact is catastrophic. Attackers can exploit it via crafted HTTP requests when the nginx configuration permits the vulnerable code path, allowing full control over the web server process.

Generated by OpenCVE AI on May 12, 2026 at 21:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SPIP to version 4.4.14 or newer, where the vulnerability is fixed.
  • If an upgrade cannot be performed immediately, modify the nginx configuration to disable or restrict the directives that expose the vulnerable code path; for example, remove or restrict the public directory that allows the malicious input to be executed.
  • Monitor web server logs and security events for signs of exploitation attempts, such as abnormal requests or unexpected process execution.

Generated by OpenCVE AI on May 12, 2026 at 21:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6296-1 spip security update
History

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 12 May 2026 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Spip
Spip spip
Vendors & Products Spip
Spip spip

Tue, 12 May 2026 20:15:00 +0000

Type Values Removed Values Added
Title SPIP Prior to 4.4.14 Remote Code Execution via nginx SPIP < 4.4.14 Remote Code Execution via nginx
Metrics cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

 cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Tue, 12 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description SPIP versions prior to 4.4.14 contain a remote code execution vulnerability in the public space that is limited to certain nginx configurations, allowing attackers to execute arbitrary code in the context of the web server. Attackers can exploit this vulnerability through specific nginx configuration scenarios to achieve code execution, and this issue is not mitigated by the SPIP security screen.
Title SPIP Prior to 4.4.14 Remote Code Execution via nginx
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Spip Spip
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-14T17:04:06.810Z

Reserved: 2026-05-12T18:07:25.701Z

Link: CVE-2026-8430

cve-icon Vulnrichment

Updated: 2026-05-13T14:42:08.588Z

cve-icon NVD

Status : Deferred

Published: 2026-05-12T19:16:34.703

Modified: 2026-05-13T15:26:44.333

Link: CVE-2026-8430

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T23:00:10Z

Weaknesses